For months, the drumbeat has been growing louder and – with less than a year before the EU’s General Data Protection Regulation (GDPR) becomes effective – the hype is now reaching full volume.
While many well-known brands have finished their GDPR gap analysis and have a clear picture of what they need to do moving forward, others have only just begun to consider the impact of the regulation. Whichever camp you fall into, the GDPR requires significant process change and corresponding change management, so few companies will be 100% ready by the enforcement date of May 25th 2018.
But there’s no need to let hysteria kick in; the GDPR should be viewed as a positive catalyst for change. The most important thing is to have an overall GDPR action plan in place and to work steadily against it, picking off the low hanging fruit first and staying focused on the regulation’s most critical aspects.
So, what should marketers be doing to ensure they keep pace with the beat of the GDPR drum?
The first step for marketers is to create a high level GDPR action plan, which should look something like this:
- Determine how the GDPR applies to you – If you are reading this post, pretty safe to assume that it does. Any company that collects, stores or processes consumer data, or who uses vendors to do so, is covered.
- Know what data your business collects and why, so you can determine if you need to obtain explicit consumer consent. Consent is the most important aspect of the GDPR, partly because the data protection authorities can easily see if it is in place by checking marketing touchpoints such as your website, and partly because infringements of the conditions for consent attract the higher level of penalty.
- Develop an internal privacy impact assessment (PIA) process. PIAs allow your business to systematically analyze data flows and the associated risks to data privacy, and to find the most effective way to comply with data protection obligations. Establishing this process will plant the seeds of an internal compliance group.
- Look at your tech stack and identify where it can integrate into middleware identity management systems or other databases to automate as much of your GDPR obligations as possible. For instance, you may be able to deploy a consumer-friendly consent management tool where an individual can exercise their new GDPR rights such as the right to object to profiling. You need to be able to receive a signal expressing this opt-out choice and then honor it, or risk severe penalties.
Marketers need to start with considering if the tech providers that make up their marketing stack collect and process data on their behalf. If this is the case they will need to work with those providers to ensure they are implementing their own GDPR action plan, and that they have the necessary processes in place, particularly regarding consent. If you don’t know what I’m talking about, you are going to be at risk quickly. Your law firm and/or ad agency should be able to help.
Marketers will need to protect themselves against possible penalties incurred due to something their tech provider has done, or not done, which may involve revising contracts with their data processors to include indemnification obligations. Marketers need to be clear who is ultimately responsible for activities such as record keeping, security, sending data breach notifications within the necessary timeframe, designating a DPO, and having contracts in place with downstream subcontractors, to avoid being landed with hefty fines.
Putting these measures in place will require plenty of heavy lifting but it is essential because even if you cannot get all the work done in time, having a GDPR action plan with logical timelines shows an intention of good faith.
To assist the process it is critical to appoint a Data Privacy Officer (DPO) as soon as possible and to furnish them with the independence and authority to give candid advice. While the GDPR aims to empower the individual with control over their data, the consequence is most companies will have to totally reimagine their relationship to data and rethink their data strategy – understanding what data they collect, why they collect it, and where it goes. A DPO plays a vital role in this realignment process and also acts as a link to the regulatory supervisors, running interference and smoothing the rough edges.
The GDPR provides an immense opportunity for constructive change and those that embrace the new regulation as such, will come out the other side stronger and more successful. The time has come for marketers to move to the beat of the GDPR drum, getting an action plan in place and setting in motion a positive shift in their relationship with data.