5 steps to getting your GDPR house in order

5 steps to getting your GDPR house in order

Worried about GDPR consent issues? Called a halt to preparations as you wait and see the effect of Brexit? Still feel unprepared? You’re not alone, but with stringent penalties for non-compliance, it’s time to press on with GDPR.

With little over a year to go to the General Data Protection Regulation (GDPR) is enforced, the latest DMA research shows a big improvement in awareness, but a significant gap in actual readiness. Almost a third of B2C marketers still feel unprepared for GDPR. 70% remain concerned about consent issues.

Even more worryingly, research reported in Marketing Tech shows 24% of UK businesses have stopped preparations for GDPR in the mistaken belief that Brexit will alter the playing field. It won’t, not least because GDPR will be in place before Brexit negotiations are barely halfway through. Post Brexit, the likelihood is that UK data protection laws will be at least as stringent (if not more so) as EU law.

The penalties for non-compliance are severe (€20 million or 4% of global turnover). So if, you’re starting to panic about your (lack of) preparations for GDPR, or if you’ve called a halt and need to resume, here are 5 steps to getting things moving.

1) Assign responsibility

The GDPR requires an organisation to appoint a Data Protection Officer (DPO) if you are a public authority, carry out “large scale systematic monitoring of individuals” or carry out “large scale processing of special categories of data”.

In reality, and particularly given the penalties for getting GDPR wrong, we would recommend every organisation appoints a DPO. Your DPO should report directly to the highest level of management (to ensure the role carries the weight and organisational buy in to get things done). He/she should monitor compliance activities pre- and post-GDPR.

Act now: Appoint your DPO and key staff charged with ensuring a smooth transition to GDPR. You can find the beginnings of a DPO job description here.

2) Understand how you’ll be affected

Unless you know how you collect data, where you store it and how you use it (e.g. for profiling, matching, sharing etc), you’ll never be able to meet the GDPR’s key requirements of data transparency and consumer control.

What’s more, only when you understand your data landscape can you make plans for a post GDPR world, because how you use personal consumer data will impact a wide range of the tools and processes you use every day, including (but not confined to) the following:

  • Web analytics
  • Tag management tools
  • Media tags & campaign tracking
  • CMS tags
  • Personalisation & testing
  • CRM database

Many organisations still have silos of data; individual, unconnected pots of information held in individual departments, and all of them need unearthing and understanding. Now would also be an ideal time to find a way of integrating this information, so every part of the organisation can have the benefit of all of its data.

Act now: Carry out an audit of your data landscape to understand what data you have and where it is held.

3) Start planning consent

There are a number of ways the GDPR legitimises the holding and processing of personal data, from enabling completion of a task that’s in the public interest to compliance with a legal obligation. But for most brands and in the majority of situations, the only category that will apply is the consent of the data subject.

That consent must be clear, affirmative and verifiable. Assuming implied consent on the basis of a box left unchecked five years ago won’t cut it.

Here’s an example. A banner like the one below uses implied consent to set a cookie on entry. To date, this form of banner has been entirely consistent with cookie compliancy rules. 

But from May 2018, you’ll need explicit consent. If you can’t get it, and if no alternative legal basis for the data processing applies, you won’t be able to use it.

Act now: Identify the consents that will need upgrading and start planning your opt-in communications. What can you do between now and May 2018 to increase the likelihood of customer opt-in?  Conduct an impact analysis on your strategic initiative goals based on a move from implicit to explicit consent.

4) Agree processes

The GDPR confers a number of rights on individuals, some of which you may already be compliant with, and some which will be new to you. You’ll find the full list of rights here, but the key point here is that you need to agree how you will comply with those rights in practice. None need to be painfully convoluted – ensuring users have the right to rectify their data, for example, may require little more than a new web page, an email address and someone to monitor it – but they do need considering now.

It’s the same story with data breaches. If data does escape, how will you meet your 72 hour notification obligation?

Act now: Consider the simplest, most effective process changes to comply with GDPR, and work up a plan of implementation.

5) Seize the opportunities

You can spend the next 12 months driven by the fear of non-compliance penalties, or you can see the GDPR as an opportunity.

Because when you take the steps required to gain consent, build transparency and deliver consumer control, you also build trust, loyalty and goodwill. Make the next 12 months count, and the post GDPR world could see you processing more meaningful data for more valuable customers.

And just because someone opts out of your communications or cookies, it doesn’t mean they can’t still be a valuable customer.  Think about how you would build loyalty and create compelling reasons to build a value exchange.

Act now: Use GDPR as a great excuse to revisit the customer experience. Identify the quick wins that could help you a) retain opt-ins and b) encourage opt-outs back.

Need a little help? From digital processes to data management to customer communications, if you need a hand putting your GDPR compliance measures in place, call us. Just don’t leave it to the last minute! 

Find out more about the General Data Protection Regulation (GDPR) in our latest thought leadership piece.