What you need to do before 2018: GDPR in a nutshell
It may seem like everyone is talking about GDPR (the General Data Protection Regulation) at the moment, ahead of its implementation in May 2018. Still, many organisations are finding it difficult to decipher what is critical to focus on in order to prepare for its impact. One business owner compared it to the “Y2K” problem: an issue that’s on everybody’s lips, but nobody knows exactly how businesses will be affected.
Does GDPR apply to your business?
All businesses handle some aspect of customer data, making them subject to the regulations within the DPA (Data Protection Act). If you are aware of the DPA principles and comply with them, then you already have some of the foundations in place for managing data in line with GDPR – but you will need to improve your processes and stay ahead of the data game.
What are the main GDPR requirements?
GDPR is designed to limit the power of organisations when it comes to potential misuse of subject data. The regulations will expect you to take a number of actions to improve data protection and transparency across the board.
GDPR expects you to:
1. Keep customer data safe
The whole idea of data protection is to make sure that you do all you can to keep your customer data under lock and key. This is of course beneficial to your customers as well as for your business: neither you nor your customers want any breaches where outsiders can tap into the personal data stored.
2.Keep records of the data journey
One key concept of GDPR is the need to document how each customer’s record is managed. In real terms, this means that you must be able to show an individual their ‘data journey’ upon request. You may need to clarify how the customer data has been acquired and how it has travelled through your systems and communications, as well as where and how it has been stored.
For consumer data, this has been part of good practice for years. However, the GDPR is extending the requirement to also cover B2B user records.
3.Let the customer be in control
‘Permission marketing’ is an approach to communications that requires the customer to make an active choice to receive information or become registered in a database.
A responsible business should already be practising this type of registration of details. Many companies now use opt-in forms with clear terms and conditions, allowing the client to willingly submit their contact data. Similarly, businesses are now also expected to make it very easy for customers to opt out of communications, or choose what they want to receive and not receive.
GDPR will take a stronger legal stance on opt-in procedures, with the requirement for ‘double opt-ins’. This means you will have to do all you can to ensure people are genuinely and willingly submitting their personal information.
4.Share liability with all other data touchpoints
A critical part of GDPR is the shared responsibility between data ‘controllers’ and data ‘processors’. If your customer data passes through a third party and they cause a data breach, you will be able to claim back money from them if the customer wants compensation. But equally, if your business plays a part in managing another organisation’s customer data, you may be held liable for any damages partially caused by you.
5.Pay when you don’t comply
One of the big talking points of GDPR is the eye-watering fines. Under the new regulations, a breach will be very costly. A company may be fined up to €20million or 4% of global annual turnover – whichever is greater. Fines at this level can of course be crippling for many organisations, and can’t be taken lightly.
What you need to do
The GDPR requirements will mean very different things depending on where your business focus is. The more complex, detailed and sensitive the customer data your business relies on, the more you need to consider security and transparency in data management and explicit consent for communications.
How to start with GDPR preparations
- Designate a person to be a contact point for the Data Protection Authority and for your data subjects, and a Data Protection Officer to monitor compliance when it comes to processing operations.
- Create ‘data trails’ where you track your data subjects’ journey through various platforms and systems – both in and outside of the EU.
- Create processes for ‘forgetting’ user data when requested.
- Create processes for disclosing and exporting user data to subjects when requested.
- Create a plan of action for when a data breach takes place.
- Carry GDPR as a beacon when designing your ongoing data management processes and marketing strategy.
Take a new approach to data
As a business, the new regulations may seem challenging and confusing. However, you have the ability to tap into the knowledge of IT service providers, data management specialists and support organisations, who can guide you through the steps you need to take.
Staying a head of the game doesn’t have to be difficult!