5 steps to becoming GDPR ready
The rules around how companies process, store and use personal information are changing, what does this mean now for the way you’re collecting and utilising your customers’ data?
SEE ALSO: Fifth of customers refuse to share personal data in 2018
Marketers and other customer experience practitioners collecting and using customer data across the EU are preparing for the biggest upheaval in data protection law in the last 20 years. The General Data Protection Regulation (GDPR) comes into force on 25 May 2018.
The idea behind the GDPR is simple: data subjects are protected from companies selling their personal data; they have to be informed at all times about their rights and how to object to the processing of their personal data. Read more about the new law here.
What are the five steps you need to take to be GDPR ready?
The GDPR places obligations on companies to demonstrate compliance with the legal standard. Every employee working with customer data needs to reflect on their treatment of data very carefully. If you haven’t started, analyse the types of data being processed within your company:
- Create a GDPR task force to implement necessary procedures and processes to comply with new rules
- Create and maintain a record of all data processing for your company, define the purpose of the processing and the categories of data being processed
- Collect this information by segmenting the various types of data - customer data, employment data, etc.
- List additional details like categories of data subjects, transfer to countries outside the EU, time limits for deletion and a general description of technical and organisational security measures
- Assess the risks and circumstances of data processing to ensure you are compliant with all requirements of the GDPR by May 2018
Companies must continue to provide transparent information to data subjects, which must be done at the time personal data is obtained. However, data already obtained does not have to be deleted. If it has been obtained lawfully under the current directive, companies can continue using it.
Every employee working with customer data needs to reflect on their treatment of data very carefully.
What personal data is covered by the GDPR?
Personally identifiable information (PII) is any data that could identify a specific individual. The GDPR applies to all processing of PII – any information relating to an identified or identifiable living natural person, directly or indirectly. An IP address, certain cookie data and geolocation can be classed as personal data under the GDPR. Additionally, browsing behaviour collected to create a profile will also be considered personal data.
Pseudonymising personal data
When trying to avoid requirements of the GDPR, there’s an easy solution: don’t process PII. The new regulation offers a solution to this, called pseudonymisation. This means that directly identifying data is separated from the processed data naturally connected to it, ensuring non-attribution and allowing its use.
A lot of GDPR’s obligations – like access to data subjects’ data, deletion or data portability – do not apply if a company can no longer identify a data subject. Don’t be fooled though! Pseudonym data does not mean it is anonymous. An interesting example of pseudonymisation is the processing of data for a statistical purpose. Since data mining or data scoring can be considered a statistical purpose, this exception will simplify companies’ obligations under the GDPR.
Using and analysing your pseudonym data delivers unique consumer insights without disclosing individuals’ identities. If PII is processed, GDPR requires a legitimisation for its processing. One possible justification is the data subject’s consent. This might be the most common way currently when collecting data. Consent given under the previous directive will not necessarily be invalid. Consent does not need to be obtained again, or confirmed by data subjects, if they conform to the GDPR requirements.
How can marketers obtain the new consent and what should a consent request look like?
- The privacy consent must be separate from other requests or terms and conditions
- Pre-ticked boxes or implied consents are not valid
- Forced consent must be avoided
- Consent will only be given for certain data processing by a clearly identified person or party. Using unspecified third parties for data processing will result in invalid consent
- Every consent has to be recorded and documented, including IP address, timestamp, URL and text used
- The data subject has to have an easy way to withdraw their consent at any time, and this right to opt-out has to be brought to their attention
Companies must continue to provide transparent information to data subjects, which must be done at the time personal data is obtained.
What does that mean for you now?
- Review your current customer data in your database. Where does it come from? Keep in mind that you need to document and proof the source if needed.
- Would you have to amend the process to receive customer consent in the future? Check first if you need customer consent at all or if you have legitimate interest to process customer data.
- Make sure to have easy access to the data-set associated with a certain data subject. You need to be able to provide all information associated with a data subject upon request. Also, this information must be able to be copied (“Data Portability”) and to be deleted easily (“Right to be Forgotten”) if so requested by the data subject.
The EU clearly states the enforcement date of the GDPR is 25 May 2018, at which time those organisations in non-compliance could face heavy fines. Don’t be one of those companies, prepare now for data law changes!