Are your C-Suite looking a little peaky? It could be that they’re suffering from the new medical phenomena sweeping the marketing world – yes, we’re talking about GDPR compliance anxiety.
So what’s the remedy? There’s no doubt that achieving compliance is going to be complex and time consuming; you’ll need a team of personnel dedicated to understanding the intricacies of the new requirements and ensuring that your strategy for compliance adheres to GDPR requirements. In other words, it’s going to require a serious investment in your company’s long-term health.
All in all, it’s a huge pill for your business to swallow – so let’s break it down into more manageable doses and look at the 10 crucial GDPR tasks you’ll need to complete.
#1. Document all your data
This is likely to directly involve your IT, customer services, and marketing departments. IT directors will need to clearly document the location and detail of all personal data across the whole organisation and all your business’ computer systems, including any outsourced processing or storage. Some cloud-hosted software packages move the data outside the EU, so it’s essential to know where this data resides.
In order to keep your documentation constantly up to date, it is likely that you’ll need to appoint and train a data protection officer who the business commits to for at least three years in this post. Your marketing department will then need to check what data has been collected and where it’s located – this includes promotions, voucher houses, fulfilment houses, printers, media agencies and digital agencies.
#2. Document and publish usage of all personal data
As well as affecting the departments above, this process will also have legal considerations. Your IT department will need to demonstrate defined usage of all personal data, including what data has been collected, what it’s been used for, how long it’s been stored for and who it’s been passed to.
All customer facing staff must be trained to understand all your customer’s personal data and, as with IT, know what data’s been collected, what it’s been used for, how long it’s been stored and who it’s been passed to.
Your legal department must ensure complete transparency in line with the new Privacy Notices stating the defined usage of all personal data. This must then be reflected in your marketing department’s actual usage of that data, including processing, customer targeting or profiling – all these activities must strictly adhere to your company’s defined usage of all personal data.
#3. Transparency of data collection
To meet this requirement, we suggest that you standardise the data collection of personal data across all channels and touchpoints; even the less obvious channels such as EPOS, web pop-ups, customer support desks and exhibition visitors. All customer-facing staff will need to be trained to understand that they must actually ask or inform the customer about the collection of their data.
Again, this must be carried through to your marketing department who must reflect complete transparency across all new data collection activities, including promotions, on web pages, via social channels like Facebook, on i-Frames, etc. Marketing directors also need to ensure third party agencies are fully and correctly briefed when producing any new creative.
#4. Accessibility and control
For this step, it’s crucial that your IT department has management systems in place for both consent management and preference management, which of course are two entirely separate entities. Again, customer facing staff must be aware of this difference and be capable of explaining it to customers, and your marketing department should carry this through into subsequent promotional activities.
#5. Data portability
IT should have a clear process in place for data portability, including the data items to be moved and what data remains. Processes needs to exist and customer facing staff must be trained on how to handle the request, both from the consumer and to the new data processor. Your legal department should set in place agreements about data movement covering who the data will be moved to, how it will be moved, and when.
#6. Right to be forgotten
This is one of the trickier elements of GDPR to navigate. Your IT department must have a clear and transparent process for finding data across all systems, as well as – most crucially – the deletion of data and the creation of minimised personal data for a ‘remember me’ file. This must be backed up with a clear process for checking all new data against existing ‘Right to be forgotten’ (RTBF) data.
As an organisation, you must consider who the customer initially contacts to request the RTBF, how this is verified and that there is a clear process in place for the collection of correct and complete data to accurately identify the subject. Customer facing staff must be able to inform consumers of the time this process will take, and have clear communication channels in place to confirm RTBF requests from consumers.
Your legal department must define your business’s corporate process for RTBF requests, covering variables such as whether the customer can re-register after they’ve previously requested the Right to be Forgotten, or not – this will be particularly crucial for multi-brand organisations, where a consumer may have requested RTBF with one sub-brand but not another.
#7. Subject Access Request
Moving forward, ‘subject access requests’ will be free, and it’s likely that consumers will demand more than they have historically. Your organisation must put a clear process in place for managing these requests and who they’re made to. Finding and outputting the customer data held across all your systems is always problematic, so early work on mapping where it all sits and how to respond to a SAR will be good preventative medicine.
#8. Demonstrate how you store ‘Proof of Consent’
This aspect directly involves your IT and marketing departments; IT should consider how to deliver to GDPR requirements around the storage of ‘Proof of Consent’ and on which systems, while your marketing team must have a process to update IT when a collection statement has been adapted.
#9. Breach management
As an organisation, you’ll need a system in place for breach management which covers containment and recovery, reputation management, assessment of ongoing risk, notification of breach and an evaluation and response. Customer-facing staff must be aware of these processes and allocate internal ownership.
#10. Current customer data and permissions
A full audit should be completed by IT to determine exactly what data you have and how robust it is. When was it collected? How old is the data? Have you kept it clean with industry-standard ‘deceased and goneaway’ processing?
Your marketing department must be able to inform customers of their rights and potentially re-collect permissions where previous standards have been poor – such as implied permissions, no channel permission or permission to newsletter only. Rather than seeing this as a negative, consider it a valuable opportunity to re-engage with your customers and talk to them about what future they want with you.
So there you have it – doctor’s orders. But while this over the counter prescription should begin to alleviate the main symptoms of GDPR compliance anxiety, a full consultation could set you on your way towards a clean bill of health.
Martin Bradfield is head of planning and insight at Blueberry Wave