The ICO and others have been publishing a lot of guidance to help people through the maze of GDPR and one of the most useful summaries was a short guide Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now. Well we thought it was good and so we based our GDPR service offering to our clients around these twelve steps. Why re-invent the wheel?
A fair number of the steps concern understanding what personal data you hold, where it is, who has access and what risks centre around this data – particularly any sensitive data you might hold – and how you can ensure these risks are minimised. You have to ensure that you are clear about the legal basis you are undertaking processing and communications, whether this is consent or legitimate interest or because of contractual or other legal obligations or to protect the vital interests of the data subject.
GDPR is also concerned with ensuring that your customer are fully informed of their rights and how you communicate those rights to them with appropriate short form data protection statements and long form privacy notices. Amongst others, people have the right to access their information, correct it, change consent preferences easily and the right to be forgotten. For some sectors (such as utilities) data portability will be a particular concern.
For marketers gaining, keeping, refreshing and managing consent organisation wide will need particular attention. Researching data protection statement to improve sign up, building out preference centres to ensure consent management becomes a much more iterative ‘always on’ process and gaining or regaining appropriate consent through (re-)permissioning campaigns are all things you will need to consider. Existing consumer consent you have may not be sufficient for GDPR so you need to review this. Consent must be freely given, specific, and an informed indication of the individuals wishes for an unambiguous purpose – in clear and plain language. It must be an affirmative action, so silence and pre-ticked boxes aren’t acceptable. You’ll need to evidence when, what and how consent was given and that data is being used in a complaint manner. In fact, evidence is a watch word and under GDPR you are required to be able to demonstrate that you comply with the various principles. Evidence and documentation are key so you need to make sure all decisions are well thought through, documented and kept for audit purposes.
Your staff need to be aware of what GDPR is, what are the impacts, what processes need to be put in place and how to follow them, what happens when things go wrong and how to deal with any suppliers who handle data for you. Awareness training will be important.
And should things go wrong you need to have processes in place to notify the ICO and your customers in good time to minimise the damage and risk that a data breach can cause. Pre-planning and pre-canning scenarios will help you meet that rapid response requirement.
Perhaps defining compliance as heaven is a step too far, but the alternative of the large fines that could head your way if you aren’t compliant and you aren’t doing the right thing by your customer, sounds very much like hell.
Instead it’s time to embrace GDPR in a positive way. We all have a duty to do the right thing and this could be seen as a good reset point. We shouldn’t be afraid of the potential impact on database size – those left will be truly engaged and this should improve ROI from better targeted Direct Marketing. It’s about having confidence in the brands and our skills as marketers to motivate consumers to take action and engage with us on their terms, giving them control, but also ensuring we can still communicate with them to both their and our benefit.
Director of Strategy & Insight | Paragon Customer Communications
M: +44 (0) 7875 134 818