As the implementation deadline of May 25, 2018 approaches, it’s more important than ever to understand GDPR, or General Data Protection Regulation. Luckily, it’s not hard to find information. Many guides and resources abound describing requirements and protocols under this new law. Relationship One’s recent Industry Brief: CAN-SPAM, CASL & GDPR provides an excellent comparison of compliance laws and details a number of GDPR’s regulatory measures that apply most to marketers.
Although these resources are incredibly helpful in understanding the details behind the regulations, they don’t often speak to the proactive preparations required for marketers to be ready. Although GDPR affects all levels of an organization, it is important for marketers to understand their role in planning for, and adhering to, GDPR law. In this article, we will focus not only on GDPR’s regulations, but also on steps you can follow to begin preparing for these upcoming changes.
GDPR Rules and Regulations Overview
Relationship One’s Industry Brief covers GDPR rules quite well, but a few regulations may impact marketers most directly and are listed below. We advise that you speak with your legal team regarding each requirement as Relationship One cannot provide legal counsel on these matters.
- Data Protection Officer (DPO) – In some cases, your company may be required to have a Data Protection Officer, or equivalent. Although not necessarily the responsibility of marketing, it’s important for marketer’s (remove apostrophe) to understand the reasons behind this regulation and how they will need to collaborate with the DPO.
- Data Protection – Data needs to be protected quite specifically, and access to this data needs to be regulated.
- Consent – Consent needs to be given explicitly, and pre-checked boxes on forms are not acceptable. There are specific rules around how opt-in needs to be collected depending on source (online, phone, etc.). Consent regulations are also quite strict for minors.
- Data Collection and Usage – There must be a reasonable legal basis for processing and collecting personal data. The length of time that data can be held must be defined by a reasonable measure and clearly defined to the public.
- Consumer rights – Each consumer has a right to be forgotten. They may also request their personal data from your systems in a portable format.
Eight Things You Can Do Now to Prepare for GDPR
As marketers, we know GDPR is looming, but in some cases, we aren’t sure how or where to begin our preparation. Here are eight actionable steps you can take to ensure you are ready.
- First things first. Chat with your legal team. Ensure your company has a corporate governance policy for all things compliance-related, including CASL, CAN-SPAM, and GDPR. As stated previously, guides and resources like this article are fantastic, but none of us can provide the same advice as your legal counsel. Be sure you work with your legal team to understand the specific requirements in the communications your are utilizing.
- Conduct a data audit. This is a global audit of grand proportions that may require a DPO, and certainly expands well beyond marketing data. However, as marketers, we should conduct our own data audit. Review your data collection practices, including fields collected, storage practices, usage requirements, data accessibility, etc. Audit the security of your data, including who has access to it and why. Create an audit report that explicitly defines your current data collection, storage, and usage practices.
- Audit your current compliance and opt-in procedures. Are you only opting in consumers that provide explicit consent, or do new processes need to be created? It is important to secure direction from your legal team when devising your strategy and implementation for an opt-in process. As part of the assessment process, review your current architecture to ensure you have the foundation in place to collect and store consent so you are complaint with all regulations. If you uncover gaps, now is the time to build a plan of action so compliance is complete before May 25, 2018.
- Review your ability to comply with a consumer’s right to be forgotten. Anybody at any time can request that their private information be removed from your system. Again, this goes beyond marketing, but marketers need to have a plan to remove this data from their systems. This plan needs to be in compliance with their your company’s governing policy. Consider your process to find, remove, and confirm forgotten status.
- Review your ability to provide consumers with their personal information in a portable format. Consumers have the right, at any time, to request the information you have collected and stored within their profile. How would you do that today? If you don’t currently have a process, now is the time to work with you DPO or internal data team to make it happen.
- Audit the security settings within your current marketing technologies. How is security access granted today? Does that meet the stricter requirements currently being imposed by GDPR? Work with your legal team to understand how security privileges may need to be changed to ensure data is protected and in compliance with rules and regulations.
- Communicate, communicate, communicate. GDPR is a cross-functional and global regulatory law. It’s extremely important to work with your legal and data teams to define a corporate governance policy. Once this policy is in place, develop a communication plan for your team that describes the regulations, their impact to the team and their processes, and the plan of action to follow. A thorough communication plan can be an integral component in ensuring company-wide compliance.
In some cases, you may want to consider an impact assessment to fully understand and document how GDPR will affect your organization, and, most notably, your marketing processes. This will likely require a cross-functional team that can properly assess impacts to data regulation, data collection, process control, security, etc. that include marketing, but are not limited to it. This team can address gaps in compliance as it relates to your organization’s legal requirements and make plans to address them.
GDPR, and compliance in general, is a very complex topic. Regulatory measures that impact data management and communication should be taken quite seriously and managed at the global level. Marketers can do their part by understanding the laws, assessing their greatest impact on marketing processes, and devising preparations in congruence with their organization’s overall requirements.
If you would like additional information on GDPR and how you can be best prepared, please contact us at Relationship One.