Businesses across the world are preparing to meet new requirements for all companies who work in the EU or process information about EU citizens. GDPR, General Data Protection Regulation, is a new EU regulation that enforces standard data privacy laws, and all businesses affected by these changes must comply by 25th May 2018, amid warnings of fines of up to 20 Million Euros for non-compliance.
GDPR is designed to protect consumers and their rights, and marketers are anticipating positive changes in the smaller but potentially more useful data pools of the future. However, there’s no doubt that this is a big change for businesses of all sizes, and that it will almost certainly involve some serious restructuring and redesigning of your policies and marketing strategies. Read on for our guide to making these changes, and to find out whether our Audit for GDPR could benefit your business.
Your Essential GDPR Checklist
1. Assess your privacy policy
There are many significant changes to privacy policies in GDPR, including the following:
- The way in which your privacy policy is written and accessed. GDPR specifies that such policies must be written ‘using clear and plain language’, and must provide a ‘meaningful overview of the intended process’. Therefore, you should ensure that your privacy policy is free from jargon, easily accessible, and explains exactly how you will use data that you collect, including how long you will retain this data. You may wish to seek legal advice to ensure that your wording is GDPR compliant.
- You must identify the data controller and the data protection officer within your business, and provide their contact details, as well as identifying any organisations that you intend to share data with on a third party basis. If you are sharing data, you must specify the safeguards you will use to protect transferred data.
- You must include details of client rights, including the right to withdraw consent for any and all data processing purposes, and the right of access to personal data, including rights to correct or delete it. Of course, your policy should also make clear the right to file a complaint with a supervisory authority.
- You must specify the details of any automated processes involved in your data management, including the process used to make automated decisions and the potential consequences of this for your clients. This relates to third party software providers, as well as other third party partners, as outlined in section 6 below.
2. Check your current databases
All databases now require opt in consent with clarity about the exact ways in which client data will be used.
Note that all consents should be recorded, and you must ensure that all clients are followed up according to the consent they have given. This process is likely to involve contacting clients to confirm their consent or request consent to use data in different ways, especially if you are using data where no opt in is recorded, or where contact details were passed on by a third party.
If you do not have specific, opt in consent for every way in which data is used, or your opt in is non-specific, or even if you have not been engaged with a client for a period of time but still retain opt in consent, you should follow this up to obtain specific opt in consent for the future.
3. Set up a record of opt in consent
Since clients must now actively opt in to personal data storage processes, you must store data in a format appropriate to the type of opt in consent given for specific purposes. The following procedures can ensure your business aligns with these requirements:
- Including an opt in check box, which must be unchecked by default
- Adding an ‘opt in’ button or link
- Providing a yes/no option to ensure clients actively opt in
- Creating an option for clients to choose preferences or adjust settings for their own account
- Seeking opt in consent verbally, by phone or in person
- Sending an email requesting consent, and storing responses to this
- Obtaining opt in consent in hard copy on a paper form
This is further complicated because your business will require a separate opt in consent for every way in which data is used. This means that you will need to adjust all forms, in paper format as well as on your website and in your email marketing, to include specific opt in consent for each way in which you intend to use data. You should ensure that there are obvious ways to unsubscribe from each consent given, and link to your privacy policy from all forms.
You should ensure that you have a clear process for deleting clients from your database – and any duplicates – if they request this, and for amending the type of opt in given by each individual.
It is vital to update your staff training to ensure all team members realise the importance of the new procedures, and to assess how your business is meeting these requirements on an ongoing basis.
4. Campaign for consent
The way in which personal data is used has been in the spotlight for many months, and it is challenging to create campaigns to request opt in consent in this climate. Focus on showing your clients how they will benefit from giving consent to use their data, and demonstrate how you will protect and safeguard it. The more personal and relevant your approach, the more likely you are to secure opt in consent.
5. Ensure your sales team are informed
If you have a sales team involved in creating conversions for your business, they have probably relied on practises such as automatic newsletter subscription, or free trial offers via email. However, under GDPR, this is no longer acceptable unless consent has been specifically sought for these purposes. Therefore, the database that your sales team can access will be restricted according to the new regulations, and it is very important that they understand the new requirements and the need to comply with them.
You should review the way in which data is shared between your marketing and sales teams, ensuring that it is secure and precise, and make sure that your staff are aware of the ways in which opt in consent should be obtained and recorded in different situations.
6. Consider third party access
A particularly complex aspect of GDPR is the way in which it affects third party sharing. You must identify all third parties who you share data with, and find out how they are using this data and whether their policies comply with GDPR.
You may need to end data sharing agreements if third party companies do not meet GDPR requirements, and it is your responsibility to assess this for every organisation that you partner with. This includes software providers who collect or input customer data for you, since the way in which they store data may need to be added to your privacy policy.
For digital marketers, who are a third party with routine access to customer data, it is essential to request that your access to personal data is modified so that you are not handing it without consent. It may help to offer training that enables your clients to handle their own database lists and manage systems such as AdWords.
7. Anticipate security breaches
GDPR requires that you deal with security breaches in a clear and transparent manner, which includes the following:
- A process by which you inform all relevant parties of the breach, with clarity about emergency contact details and the personnel who will address this.
- A procedure to draft a media statement and to update your website, blog and social media where possible.
- Draft scripts and responses for customer telephone or social media enquiries
- Documents to include Q & A, and a clear outline of all steps taken in all departments to comply with GDPR.
8. Address information requests
Under GDPR, you must provide a ‘full response’ to a request for information within one month. This means that if you are asked to provide information about the personal data you hold, your response must include:
- A full breakdown of the data you hold about the individual in question, including where it is stored
- A record of how the data has been used
- Information about how long you intend to keep this data.
This need not be a stressful process, if you have anticipated requests such as this. You should put in place a streamlined process for retrieving this data, to include automated processes where relevant, and create a landing page with an information request form on your Website. One member of your team should take responsibility for checking requests, identifying the relevant data and responding to the request within a month. A template email response will be helpful here, and this should include options for updating or deleting data, as well as adjusting consent and unsubscribing.
ePresence | GDPR Website and Email Marketing AUDIT
Here at ePresence, we’re offering a service that is designed to help ensure that your Website and Email Marketing are GDPR compliant in time for the GDPR Deadline.
Our Audit service will:
- Review your website for elements of opt in compliance
- Review your website for storage and maintenance of personal data
- Review your website for Cookie usage and compliance
- Review your collection of personal data for email marketing purposes
- Review your process for maintenance of personal data online for website and email marketing purposes
- Provide a report with recommendations
We are currently offering this service for €375+VAT to include all of the above, or €295+VAT for existing clients.
Please note that we are not a legal advisory service. Our advice is based on our expertise in this field and our experience with other clients and data available to us. This audit relates to website and email marketing only. The price quoted above does not include implementation of website changes which will be clearly detailed in the Audit Report.
Contact us today to ensure that your business is ready for GDPR.
