GDPR and how to get compliant with it.

Since past month GDPR has been a trending topic. It has almost been a month since the GDPR(General Data Protection Regulation) is implemented and still some businesses and people have taken no or minimal steps to get GDPR complaint. There are several reasons of not doing so including but not limited to the below list:

  1. Some of them have no Idea about what GDPR is and how it can affect the businesses.

  2. They think their Marketing automation provider or the CRM will take care of the changes if there needs to be any.

  3. Because they do not have their branches in European Economic Area they think it is not a concern for them.

  4. Uncertainties and Rumors makes it harder to be complaint.

In this post we are going to share the step by step GDPR Preparation checklist. In case you are not yet ready it will be helpful and if you are ready just go through the list, Let us know if there were any additional measures you took which we have failed to include in the list and help your peers in getting GDPR ready.

First of all what is GDPR(General Data Protection Regulation)?

GDPR is a data protection policy which implies to all the data collected from the citizens of EU(European Union) or EEA (European Economic Area) for the commercial purpose. This also implies to the businesses located outside the area but having customers and prospects. With the United Kingdom calendared to leave the European Union in 2019, they granted royal assent to the Data Protection Act 2018 on May 23rd of this year,which contains equivalent regulations and protections.

Under this Data protection policy Individuals who submit their data have the following rights:

  • The right to be informed: If the data is being collected, it should be brought to the knowledge of concerned individual.

  • The right to access: The individual has the right to access the data submitted by him in order to verify it unless it harms others data or privacy or has an adverse effects on copyrights etc.

  • The right to rectification: The individual should have the freedom to update his data in case any incorrectness is found.

  • The right to erasure: The individual has the right to opt out of the database anytime.

  • The right to restrict processing: In certain cases the individual has the right to ask to not process their data.

  • The right to data portability: The individual should be allowed to move his data from one service provider to the other.

  • The right to object: The individual has the right to object his data processing unless it is in the public interest and legal.

  • The right to opt out of automated decision and profiling: the individual has a right of not to be a subject of any automated processes including profiling.

The data and the opt-in for any services should be taken consent for from the individual unless you want them to sue you for any one of the above.

Penalties:

If some business fails to comply with these policy, there is a huge Penalty. There are 2 different types for different articles of these policy applied.

  1. €10 million or up to 2% of the annual worldwide turnover whichever is the larger sum

OR

  1. €20 million or up to 4% of the annual worldwide turnover whichever is the larger sum

To start with, it is recommended that companies and advertisers direct a review of the avenues through which they connect with individual’s information and then tailor a specific strategy keeping in mind the below checklist.

  1. Appoint an expert with the knowledge of GDPR and similar Data Protection Policies

This lead should work closely with the data governance and maintenance team as well as Data Protection Officer if anytime applicable. He should audit and affirm advertising efforts with European contacts before execution. A thorough audit of current data collection and handling process and the existing database should be carried out.

  • Review you database.

Check contacts in EU nations for records of assent. Remove people without a proactive agreement notice or send them a notice asking for the consent. Those who use CRMs and Marketing automatons ought to make a different division list for these contacts to secure their assent later on.

  • Document all the channels and steps of data collection in detail.

Documenting everything will give you the much needed organization to follow the legal processes that come into your way. So, from wherever your marketing team gets the data from, document all the channels such as website registrations, events, list purchases, partners, sales, etc., and ensure there is a assent process for each one of them.

  • Communicate the importance of the GDPR.

The team involved in any type of data handling should know the importance of GDPR (General Data Protection Regulation) and understand the consequences of not following it.

 

  1. List the actions to be taken while collecting data

  • Ask for the consent in clear wording

While collecting the data in a form or in any other way like a testimonial or a video ask for the clear consent in an unambiguous language in written. It is necessary to ask for the consent and not just put the wordings which means no auto accepted clauses.

  • Ask for a cookie consent

It is the best practice as the individuals have the right to be informed of their data collection.

  • Verify the age

GDPR requires the concerns of the guardians in case you want to collect the data of an individual under the age of 16.

  • Validate country

If you have decided to follow the GDPR for only the European residents, add a field for others to verify their country.

  • Update your privacy policy

Update and make your privacy policy clear and inform your audience what you will be doing with their data in unambiguous words. Also keep updating them for any changes in the data processing.

*Note that IP addresses are also counted as personal data.

  1. Actively manage the existing database.

  • Send a re-verification email

Consider sending all the EU contacts a new verification email asking again for their permissions to opt in. Note that the list of unsubscribing emails should be left out because the EU data protection directive is still effective and you might be fined under it.

  • Let contacts manage the preference

Do not ask for all the permissions in a single option instead let your contacts choose their preference.

  1. Keep a data breach plan ready

GDPR expects associations to report information breaches no later than 72 hours after the association ends up aware of the rupture. Marketing teams should be proactive and outline an data breach activity design as an insurance. However it is not required to be informed to the contacts about such breaches if the organization has taken appropriate measures such as encrypting the data or Pseudonymisation.

Please note that these are not a lawyer’s suggestions but this should make lives a bit easier. Let us know how confident you are in you readiness in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *