Marketers across Europe are by now well aware of the General Data Protection Regulation (GDPR) and its imminent arrival on 25th May. The prospect of fines up to €20 million or 4% of global turnover has grabbed our collective attention.
It can be difficult within the mix of legal analyses and media reports to identify exactly what the legislation will mean for the marketing profession. It is all too easy in our day-to-day handling of projects and challenges to put off implementing the changes required to comply with the new law. A recent study by McCann Fitzgerald and Mazars found that three quarters of Irish businesses are unprepared for the introduction of GDPR.
To simplify the process, I outline some of the core principles to be aware of and list some steps you can take to ensure you and your team are compliant.
Understand the seven core principles for processing personal data.
There are seven fundamental principles that apply when processing personal data. This is the place to start your compliance journey as it forms the core of GDPR.
1. Lawful, fair and transparent. Firms are required to process data in a lawful, fair and transparent manner. When collecting personal data, you must advise what processing will be done, and in clear and straightforward language.
2. Purpose limitation. Personal data should only be obtained and used for specific, explicit and legitimate purposes. Marketers must take care to avoid ‘scope creep’ and the inclination to use data for activities beyond what the consumer might reasonably expect they have consented to.
3. Data minimisation. Think clearly about the data you actually need. Make sure it is relevant and necessary only for the purposes for which it is being processed.
4. Accuracy. Put policies in place to ensure your data is both accurate and up-to-date.
5. Storage limitation. Do not keep data for longer than necessary. If you do not have clear retention policies at your firm, now is the time to put these in place.
6. Integrity and confidentiality. Make sure your data is confidential and secure. If you have a CRM, for example, put in place clear user rights and controls on who can access what data.
7. Accountability. Your firm is responsible for compliance with GDPR and must be able to demonstrate this.
Know the legal basis for processing personal data.
There are six legitimate bases for processing someone’s personal data.
1. Consent must be freely given, specific, unambiguous and informed. It will no longer be lawful to use implied or passive consent such as pre-ticked boxes on websites. As consumers can withdraw their consent at any time, other bases such as contract or legitimate interest may be a more viable long-term option for businesses.
2. Firms can process data if the processing is required to enter into or perform a contract.
3. Legal obligation – i.e. if an obligation exists under EU or member state law.
4. If it is in the vital interests of the data subject.
5. If it is in the public interest.
6. If it is in the legitimate interests of the controller or processor, but this must be balanced against the rights of the data subject.
Know your data
The next step is to gain a thorough understanding of your current data. This is achieved through a data audit, which looks at aspects such as:
- What data do you currently store?
- Why did you obtain it?
- What purpose was it obtained for?
- What security and retention policies are in place?
- Is there a policy and procedure in place to respond to data access requests?
- Are contracts in place with third party suppliers who process your data?
Depending on the size of your firm, it may require hours, days or a number of months to establish a detailed inventory of all the data you are currently storing and utilising. A useful part of this process is to put together a diagram or visual representation of the data.
Train your team
It is too easy to presume that knowledge of data protection is the job of the data protection officer (DPO) or legal counsel. As a marketing professional, and one of the larger users of data within your firm, you and your team must ensure you have adequate training on GDPR and best practice. As much as possible, this should be undertaken across the full team. Anyone who interacts with personal data should have at least a grounding in the basics of GDPR, particularly the legal bases for processing.
Change your mindset
Over the years, many of us will have had KPIs to increase our databases. A new mindset is required. We need to focus on having the most qualified and compliant database of contacts. GDPR gives consumers a greater say in how their personal data is used. These new, lighter, more focused lists will enable us to communicate with consumers who are genuinely interested in our firm’s products and services.
Most marketing databases have contacts dating back many years. GDPR requires you are able to provide tangible proof that they provided consent to have their data processed. Many firms are now undertaking re-permissioning of their databases for this purpose. Firms will need to put in place a ‘consent store’ or some form of centralised system where this proof can be quickly and easily accessed.
Prepare for data access requests
GDPR removes the previous cost of €6.35 to make a data access request, while the response time is shortened to 30 days. Many commentators expect to see an increase in requests. Work with your data team or in-house experts to put in place a procedure. Who will follow up on the request once it is received? Have you a clear understanding of where the data is held? Are there multiple owners that need to input? Putting in the effort in advance will save you time, hassle and stress in the long run.
Put processor agreements in place
Many firms use third party suppliers to process data on their behalf. Marketing examples could include a retargeting company, CRM provider or a web agency. Under GDPR you are obliged to put in place formal contracts with these suppliers. This can take time, so if you haven’t begun already, now is the time to take action.
Undertake Data Protection Impact Assessments
Data Protection Impact Assessments (DPIAs) will be mandatory for any new activities that involve the systematic processing of large amounts of personal data. For example, the introduction of a new CRM system or international data transfers. A DPIA must be undertaken prior to any processing activity taking place. Take the time to build this into the timelines and procurement practices for upcoming projects you may be working on that fit this category.
The GDPR will be upon us in less than three months. The good news is you still have time to commence your journey towards compliance. Use the compound effect. Take clear steps each day. By getting to know the legislation and core principles, you and your team will be well placed to prosper under the new data regime.
About the author
Steven Roberts is Head of Marketing at Griffith College and a Certified Data Protection Officer.
The opinions expressed are the author’s. They are not intended as a substitute for seeking professional legal advice on data protection and GDPR.