Preparing for the General Data Protection Regulations
Is your business ready for the General Data Protection Regulations?
European companies, or even those simply working with European citizens, should begin strategizing as soon as possible to stay compliant with the upcoming Data Protection legislation. If you’re concerned that your business may not be in line, you’re not alone; many companies, and small ones in particular, have heretofore prioritized speed and responsiveness over scrupulous record-keeping. And as policy changes, getting your marketing databases collated may feel like an overwhelming task.
However, there are many benefits to becoming compliant with the GDPR, aside from the obvious legal ones. Certified adherence to these regulations is extremely beneficial for a business’ reputation. You can check out the Information Commissioner’s Office website for firsthand information: they have a handy, 12-step guide to preparing for the GDPR’s enforcement, which begins May 25 of 2018. Step one of their guide is to make sure you’re aware that the legislation is changing-- if you’re reading this, you’re already ahead.
The other 11 steps can be found on the ICO website, but we’ve broken down what you’ll need to into three broader categories.
Assemble all the data you possess-- customer records, email addresses, any personal information you’ve collected in the course of business. Start tracking all the personal data you hold, where it came from, and who you share it with. Email databases are a good place to start, but you will also want to look into the phones and laptops your employees work from, as well as campaign data, accounts data, old unused lists and legacy systems. You will likely be surprised at the number of places you will find personal data lying around. It is crucial to amass everything you can, because you may be subject to an information audit.
“Re-permissioning” and Data Cleansing
Step 7 of the ICO’s list is to review how you seek, record, and manage the consent of those on your contact list.
To that end: once your data is assembled, your next step should be to wrangle all of it into a standardized format. Every record should be coded the same way, using the same fields and rules. This will help you avoid duplication and ensure the easiest possible access to customer information. Accidentally recombining an “unsubscribe” list into your database is an easy mistake to make if your organizational format is not standardized.
As you update your systems, you may see a significant drop in the number of legitimate contacts in your compliant database. Systems plagued over the years by duplicated, incomplete, and out-of-date information might end up reduced by up to 85%. But although this may feel like a loss, your databases are much healthier without that information
what were all those duplicates doing for you, besides adding to your storage and processing costs?
A streamlined, complete, and accurate list can boost your open rate to 60 or 70%, as opposed to a disorganized list that will place your open rate closer to 5 or 10%. Ultimately, you’ll increase your performance and reach, and ditch a lot of unnecessary data baggage.
When you’re ready to proceed with your freshly organized database, the ICO advises that you refresh your consents to make sure they comply with the GDPR. This basically involves contacting your lists and asking for the required permissions to continue marketing to them in the future. One thing to be aware of, however, is that the GDPR requires you to have a lawful reason to make contact with your lists. You may contact these people if:
- The subject has already consented to contact.
- Processing is required as part of a contract.
- Processing is part of a legal requirement.
- Processing occurs in the exercise of official authority vested in the controller, or is necessary for the performance of a task carried out in the public interest.
- Processing is necessary to protect the vital interests of a data subject or another person.
- Processing is necessary to pursue the interests of of the controller or a third party (except where such a pursuit is overridden by the freedoms, rights, or interests of the data subject).
The ICO recommends that once you have nailed down the lawful basis for your processing activity, you update your policy to explain it. This will save you some thought if you need to refresh your permissions in the future.
With all of this accomplished, it’s time to build your data castle.
You will need to create a database in which to collect, store, and edit your newly streamlined information sets. As you do so, General Data Protection Regulations will be integrated right into your system. Design your database with standardized fields for all the data you need to store, as well as the permissions you need to hold in order to continue communicating with the people in your database. While you’re updating your permissions, you should also establish procedures for dealing with the rights of individuals to “unsubscribe” and have their personal information deleted.
With these protocols and consistent formats in place, compliance with GDPR will be very straightforward. All the information you might need to present will be at your fingertips and immediately available to demonstrate your bona fides. You will also want to update your security, both for the sake of your own systems and to retain GDPR certification.
This body of tasks may seem daunting, but with the right team and a step-by-step approach, it can be broken down into manageable pieces. Assembling the right team is its own challenge, but doing so now will protect and aid you long into the future.
The General Data Protection Regulations come into effect on May 25th of 2018 and apply to anyone doing business in the EU, or with customers in the EU-- and, if you’re reading this, probably applies to your business. If you take a systematic approach, consult with some experts, and start now, you should be all set well before the deadline. To discuss with our experts, visit CROWD. or send us an email to firstname.lastname@example.org.