The EU General Data Protection Regulation, or GDPR as it’s widely known, fundamentally changed the handling, sourcing, and distribution of data collected about customers living within the European Union region. As professionals trying to engage with a global audience, it’s important for marketers to be aware of the GDPR Compliance, privacy and security responsibilities– all this help to avoid falling prey to breach of the international laws.
With the GDPR, an individual’s privacy rights are prioritized over a company’s right to access and use customer information. If a business relies on approaches like cold calls, or using cold mailing lists, it’s likely that company is not GDPR compliant, in the absence of gaining the explicit consent of the individual.
As we approach the 1 year anniversary of the introduction of GDPR, it’s a good opportunity to review your data compliance policy and implementation of it, to ensure your company doesn’t find itself in breach of the ruling.
Here are 3 key considerations when implementing a best-practice GDPR compliance strategy within your marketing teams:
Set strong foundations in GDPR compliance
The GDPR demands significant accountability and obligation from companies, to the extent that the reversal of the burden of proof applies. This means companies are responsible for proving they are complying with the GDPR laws, rather than authorities providing evidence of infringements. As a result, its necessary to continuously monitor and improve all GDPR processes.
Because of this it’s vital to have a data protection and management system that maps all business processes to ensure they’re GDPR compliant
Organizations should document all data around the company processes company-wide, alongside the legal reasons for each process.
How can this be done?
The best way to monitor and document your GDPR requirements is by setting up a privacy management system that maintains a central repository of processing activities. It doesn’t necessarily need to be a complex system, but should record and map the processing of all customer data. This system should be updated to ensure it aligns with legal regulations for processing data, but should also contain guidelines around responsibilities, an overview of how data is collected and stored, any tech or internal measures that need to be taken to contain this data, and a risk management system to protect and deal with any potential security issues.
Deploying a business process management (BPM) tool is the most effective way to do this, especially those that are cloud based and can be customized to suit the business and its unique data.
Many of our own customers have implemented Signavio’s BPM solution to create a data glossary, acting as both a register for various processes and data sets, as well as a dictionary for defining the GDPR category they relate to. Defining these processes and assets also allows them to easily check the legality of the processing of this data in accordance with GDPR, ensuring legal requirements are clear and staff aren’t guesstimating their responsibilities around data security.
Understand the data you’re holding and how it’s used for GDPR compliance
GDPR requires you to know and document the personal data your business holds, its origins and how it is shared. Establish an understanding of which data is collected, which data is stored, and where, as well as what responsibilities apply to each kind of data.
Ensure responsibilities across your team are defined and documented in the process models, for example, identifying a compliance officer or other decision-makers for handling customer data.
When you’ve established how data is collected and stored, you need to identify what kind of data it is and how you need to treat it. Thanks to technology advances, it’s easy to automate this process so decision makers can quickly evaluate and check that data is being processed in line with GDPR requirements.
This is important because the GDPR requires a data protection impact assessment to be made wherever there is significant risk in the handling of sensitive data, which often, marketers deal with.
If one does not already exist, creating a privacy statement that explains customers’ rights and
the business’ lawful responsibilities for processing information is a simple way to ensure companies are compliant with the requirements of the GDPR. A smarter approach would be to automate the way companies collect personal information, so that when a customer provides their data, companies can easily monitor when, how and the purpose for which it was supplied.
Regularly and consistently monitoring this process is essential to stay afloat of compliance, and when automated, can be easily managed. The goal here is to achieve permanent GDPR compliance in a changing process landscape.
Be cautious of consent obligations in GDPR compliance
Consent is required to be explicit under the GDPR. Individuals need to opt-in to provide personal data to a company, using clear and unambiguous consent statements, specific to the information they are providing. This means blanket statements for general/ all data collection is not sufficient for GDPR compliance.
Broader statements are enough when collecting non-sensitive data, however long, difficult to read terms and conditions, fine print and opt-out ticked boxes are no longer acceptable. Companies are also required to give individuals a simple way to withdraw consent at any time, along with instructions about how to do so.
Because companies are required to maintain proof of consent, here are a few questions you should consider when developing your GDPR consent strategy:
How do you request, manage, and store consent?
If you’re not currently doing this, what changes need to be made?
Are new policies or processes required?
How will these processes and systems be communicated to staff?
Is data being collected from individuals under the age of 16? If so, how will parental consent be obtained to collect and use children’s data?
How can you build trust to encourage customers provide consent, as well as engage with your business offering?
Ensuring compliance officers and staff are equipped with answers to these questions is a good way to make sure they have a strong understanding of the GDPR requirements. Not only will this prevent organizational inefficiencies, it also enables staff to identify issues and act compliantly, protecting your organization from potential legal ramifications.
Read More: Why Tone is Everything in Marketing!