Unless you’ve been hiding under a rock for the last few months, chances are you already know what GDPR is. The General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union. To underscore this: As long as you have EU data in your company database, GDPR applies to you. US companies aren’t “spared.” Ignore it, and you’ll risk hefty penalties of up to €20M or 4% of your company’s annual revenue, whichever is greater.
GDPR will take effect in May 2018. But despite the disappearing runway, many of us still aren’t ready. In fact, when Openprise surveyed 500 professionals on GDPR readiness last November, 60% admitted they hadn’t even started planning or taking any preparatory steps towards compliance. In this article, we’ll examine why so few are prepared for this regulation and provide an easy-to-follow GDPR compliance plan to help you get started.
First off, why are we dragging our feet and procrastinating? Shahram Heshmat, Ph.D., published an article on Psychology Today that suggests five common reasons:
– The absence of structure: Fire drills demand our immediate attention. A Slack message from the product team. The latest Harvard Business Review article that you want to retweet. Distractions are everywhere and it’s easy to lose sight of priorities in the face of urgency.
– Timing. Tackling GDPR now, at this very moment, seems much more painful than tackling it mañana…so it’s tempting to put it off.
– Unpleasant tasks. Very few of us would consider GDPR a “fun” exercise. If we’re honest, we might even call it “boring” and “dry.”
– Anxiety. Procrastinators tend to avoid challenging tasks in order to relieve stress, even if those tasks are high priority. Sounds familiar?
– Self-confidence. Are you avoiding having to deal with GDPR compliance because you aren’t sure how? Join the club. In fact, even in Europe, 51% of the companies believe the regulation is too complex, according to a new research conducted by the European Business Awards on the subject.
But fear not. GDPR isn’t as tedious as you might expect.
Also Read: Marketing Op’s Guide to GDPR Compliance
Follow the three simple steps in the GDPR compliance plan below. Its bite-sized action items will make the exercise less daunting, reduce stress, and boost your confidence in becoming GDPR compliant before the regulation takes effect in May.
Step 1: Understand GDPR’s impact on marketing
Allow two to four weeks for this step.
As a marketer, you’re not responsible for appointing a Data Protection Officer within your company. However, because a lot of personal data resides in marketing and sales databases, you should —
– Work closely with your Data Protection Officer to build a scalable process.
– Train your in-house team and contractors on the policies and processes.
– Understand the impact of technologies on your business operations.
Step 2: Review your company’s data collection policy, processes, and practice
Allow four to six weeks for this step.
– Take inventory of your databases for EU citizen data.
– Make sure you obtain consent from the people already in your database and implement a double opt-in process for new leads.
– Review and document your data collection policy to ensure you have a relevant and defendable business reason for the data you do collect.
– Determine whether it makes sense to create a separate process for EU data, or apply that same process to your entire global database. We recommend the latter, as the other parts of the world are quickly following suit, and the need to protect EU personal data is universal.
– Document, monitor, and audit the flow of data among your systems and between data processors.
– Create processes so you can promptly respond to data owner requests within 30 days, per GDPR requirements.
Step 3: Identify gaps and implement changes to ensure GDPR compliance
Allow six to eight weeks for this step.
– Assess your data, processes, training, and technologies to identify compliance gaps.
– Understand what kind of control you already have in place, make sure it’s up to date and can adequately handle GDPR mandates.
– Implement changes accordingly. There are data orchestration platforms out there that can help streamline the process and ensure GDPR compliance.
Ultimately, GDPR is about building a culture of privacy. It impacts every company who holds EU citizen data. You must respect the privacy rights of individuals; run a disciplined database comprised of engaged, targeted, and opted-in individuals; have control over the handling of EU personal data; instill pervasive awareness in everyone who touches the data; and establish accountability and credibility.
The regulation to monitor the use of personal data is necessary, and in just a few months it’ll become mandatory. While it’s tempting to procrastinate as the task might seem daunting, don’t cave in. Turn off social media. Mute your phone.
Stop checking emails every five minutes (no, it’s unlikely things will come crashing down). Invest a few hours to think through GDPR compliance and what it means for your company.
It’s an exercise that could save you a minimum of €20 Million in potential fines—that alone should be reason enough to make it a priority. Don’t be a company that makes the PR-disaster headlines.
Follow the suggested steps and tackle GDPR compliance head on, get ahead of the game, build a trustworthy data practice and a reputable brand in the process. It’s worthwhile to work that will pay off in the long run.