Steps Towards GDPR Compliance
April 22, 2018
The GDPR deadline is only a matter of weeks away, so now is the time to get compliant. At Dotwise, we’re getting all belt-and-braces, not only with our clients but with our own processes as well. We’re all in this together!
We’ve been attending seminars (such as that hosted by Kingston Chamber of Commerce), talking to GDPR professionals (yes they exist now) and reading and re-reading the guidelines as they develop on the ICO website.
Doing data better
GDPR isn’t there to stop you doing business, it is there to protect the data rights of the individual, putting them back in control of where their details are being stored or shared.
GDPR widens the scope of subject data that needs to be protected and gives subjects a clearer say on when, and where, they are happy to have their information stored.
As a result, the individual will have the legal right to:
- Be informed their data is being held
- View their data
- Have their data amended or deleted
- Have the right to objection
- Have the right not to be subjected to automated decision-making
Any good business will already be handling customer or client data with care. GDPR makes sure you’re being extra diligent and keeping them aware and satisfied that you are ot randomly sharing, exploiting or even selling their details.
The six step plan
The Information Commissioner’s Office or ICO has created a useful twelve-step plan for GDPR compliance to help give businesses a steer on what they need to do.
First things first; it’s important to make sure you appoint a designated GDPR role within your organisation. It doesn’t have to be a data specialist, but somebody who can help oversee and manage the compliance process.
Step one: audit
- Look at the data you hold, where it came from and who you share it with.
- Review current data protection and security measures, as well as privacy policies.
- Review current processes and procedures.
Step two: inform
- Update privacy policies and procedures.
- Notify subjects on how you capture and store data. This applies to new and existing customers or clients.
- Consider all points or areas where you collect data, both on and offline.
- Capture and record consent from all customers or clients.
Step three: practice what you preach
- Ensure customers or clients are always aware of how their data is being used. Make sure all staff are fully trained and also complying with legislation
Step four: accountability
- You need to be able to show accountability and ensure you are monitoring and protecting data at all times. The ICO goes into more detail, but key areas are:
- Appointing a Data Protection Officer
- Improving data security
- Data minimisation
Step five: respond
- You must respond to all Subject Access Requests (SARs), data breaches or complaints.
- It is important to ensure you verify the identity of the person making the SAR.
- Requests must be responded to within a month, and with no charge.
- If a security breach is likely, then all subjects must be notified within 72 hours.
- If a data breach is set to be a high risk to the rights and freedoms of subjects, then you must notify each individual directly.
Step six: repeat and review
- Make sure you are constantly reviewing and monitoring your own compliance, as well as legislation
- Look at staff training whenever necessary
- Update and amend processes when required
Impact on digital marketing
The main GDPR principles for Digital Marketing are consent, and the ability to demonstrate a legitimate interest for keeping subject data for marketing purposes. Consent must be specific, clear and freely given, but can be withdrawn at any time. It must not be detrimental to the individual.
This is one of the most important points for marketers – you can only collect subject data for a specific purpose. It cannot be re-used elsewhere. For example, capturing data via a sign-up form and then using it to regularly email newsletters or marketing materials will be against the GDPR regulation.
Data must only be captured and used for that specific project or campaign. It cannot be re-used or shared elsewhere.
GDPR also impacts Cookie Consent, but there are variables at play here. Visitors to your site do need to be able to either accept or reject cookies and be clearly presented with the option to opt-in or opt-out. A button that gives the individual a choice to opt-in or out must be shown to users. However, in limited circumstances, implied consent may be a more practical option than the explicit opt-in model.
Google and Facebook tracking and analytics
Ultimately, anything you use that tracks customer journeys and captures their data must be made clear to the individual.
How we can help
The ICO isn’t trying to stop you from doing business, but they are trying to make online data capture more transparent. The May 25th deadline isn’t moveable and there will be penalties for non-compliance, so doing nothing is not an option.
Admittedly, there is a lot to consider with GDPR, and if there are any areas where you feel you need help or support, then drop us a line. We understand that Digital Marketing itself can seem confusing, so add GDPR into the mix and it can feel even more like a minefield! As we stated at the beginning, you’re doing most of it already, it’s just a case of making it even better.