The GDPR deadline is fast approaching and businesses need to ensure they’re compliant by May 25 next year. Here, David Carlson, Head of Technology at Fast Web Media answers some of the key questions and offers advice to businesses in getting started on their journey to GDPR compliance
The General Data Protection Regulation will impact all businesses, particularly in the way marketing communications are sent to customers and how we look after our data. Failure to comply with the new rules will result in businesses being fined 20 million euros or 4% of the global annual revenue, whichever is the greater amount. In this article, I will look at some of the key questions about GDPR and share my tips to help you and your business get ready for the May 2018 deadline.
What can I do now to ensure my business will be GDPR ready?
The General Data Protection Regulation is designed to harmonise the way businesses are storing, archiving and disposing of their data, so a good place to start on the journey to GDPR compliance is with data cleansing. You need to gain a good understanding of what data you hold, why you have it, what you intend to do with it, how you’re keeping it and how you discard it. There are a few ways to do this – you can either do it yourself in-house or there are companies that will help you. Once you know what data you have, things will start to become a lot clearer.
Another part of becoming compliant is the security of your business. You need to assess any potential holes within the safeguarding of your company and ensure you have the right measures in place to protect your data from any potential breaches. If you don’t have any protection in place, start with anti-virus software and make sure your systems are set to automatically update and notify you of any critical updates or speak to a technology solutions partner. If you’re not protected then you could be facing large fines.
A key part of GDPR which is often overlooked is the updating of policies and procedures; you need to update these to be in line with the new regulation, but it’s also a way of proving your business has made the necessary changes to become compliant. All your documentation and audit logs are essential to prove compliance – without carrying out the necessary paperwork your business risks failing to meet expected standards and incurring a fine of 20 million euros or 4% of the annual revenue. There are people who can act as your appointed GDPR officer to make this process a lot easier – this is probably more helpful to the SME market.
We already use opt-in marketing, why do I need a second option and what does it mean?
Double opt-in marketing is an additional step added to the subscribing process. Anyone who registers to receive your email correspondence will now have to confirm they do in fact want to register, and they’re not an automated marketing robot. This is done by following a link that is emailed to them after the first opt-in stage. The second stage, clicking the link, confirms the identity of the person registering and improves the quality of your data as you have the correct information. You should also think about adding a short summary to explain why you are asking for the consent of the data subject.
You may also need to gain consent from your existing contacts but this depends on where your data was originally sourced. It’s also important to understand that the laws surrounding consent are changing; currently the law states that consent is implicit but this will soon become explicit and must be clearly expressed. Anyone who has come to your website or has contacted you directly usually has already given permission for you to use their information and market to them but you will still need to gain a second form on opt-in consent if explicit consent to send marketing emails hasn’t been given. If you have purchased your data from a third party, chances are you don’t have permission at all. In this case you will need to make sure the people you are contacting are aware you have their data. You can do that by asking for them to give their consent through the double opt-in process.
By making it easier for people to withdraw from my marketing, am I going to lose my database?
The new regulation states that you must make your withdrawal process clear; it needs to be as easy to withdraw consent as it is to give it – this doesn’t necessarily mean you’re going to lose your customers, it just means you’re being more upfront and clear about your processes.
Under the legislation, data subjects now also have the Right to Erasure and the Right of Access. The Right to Erasure applies when data is no longer necessary in relation to its original purpose or when the individual withdraws their consent. There are certain restrictions to this that will prevent a person to their Right of Erasure.
Right of Access is the right that individuals have to obtain certain information, for example, access to the personal data you hold of them, or confirmation that their data is being processed. In this case you must provide a copy of the information free of charge.
We market to a niche audience, how will GDPR affect us?
Regardless of industry, GDPR will have an effect to your business. To begin your journey, you will need to define your audience as some businesses will be more affected by the change, for example organisations whose services are intended for children will have new rules and regulations to adhere to.
If your business is aimed at children (this is anyone under the age of 13) you will need to obtain permission from a parent or guardian and prove you have permission from them in order to market to these people.
You still need to make it easy to withdraw consent at any time if you’re marketing to children, just the same as you would when marketing to an adult – you need to ensure your policies are written in the appropriate language for children to understand.
Will GDPR affect my existing data?
The regulation will impact the way you market to your existing data but it won’t have a direct impact to that data. The law affects the things that surround your data such as how you’re handling and protecting it.
All businesses will be impacted by the basics of GDPR and will have to adjust their business policies and processes in order to become compliant. By starting now and giving yourself plenty of time to adjust you can become compliant with minimal disruption to your business.
Early preparation is key
Following these steps will help you get started with the basics of GDPR, and they can be taken now. It’s important that you take the time to properly look through your own policies and procedures, and make the necessary amendments as these can be called upon for inspection at any time.
GDPR isn’t something that can be done overnight, and depending on the size of your business you may require help in order to be compliant. We’re currently in the process of making the necessary changes at Fast Web Media to ensure that not only is our agency fully compliant, but that we’re providing the best recommendations to our clients. Email marketing is a great place to start as it forces you to sort your data and add in the necessary legal requirements of double opt-in marketing. There are dedicated websites to guide you through the process, or you could speak to an agency for guidance.