The General Data Protection Regulation (GDPR) comes into force in May 2018.
For most firms, it will have a dramatic impact on the way you collect, store and use personal data.
And with commentators suggesting that GDPR has the potential to be the next PPI scandal, it’s vital that you get it right.
For many firms, compliance will demand wholesale changes to your data processing systems and procedures. For Marketing teams, this represents a massive piece of work to ensure you do not breach regulatory requirements.
Here we look at the 10 things you need to know and do now to prepare.
1. Understand your firm's responsibilities
Getting a clear picture of what you need to do is the first step. In March this year, the Information Commissioner’s Office clarified the requirements of the new
legislation – you can read more about what’s required here.
2. Carry out an audit
Review your current approach. What processes do you have for data protection and storage? How is data used? How do you get consent? This will give you an
idea of the amount of work you need to do.
3. Identify whether you need a Data Protection Officer
The rules are not 100% clear, but it looks as if all public sector organisations will have to appoint an in-house DPO – an individual who will take responsibility for
data protection. Private firms can decide whether to appoint a DPO or outsource the work. (If you decide to outsource, read more here about some of the
compliance pitfalls to avoid.)
4. Risk assess and set priorities
Time to comply is limited. You need to carry out a risk assessment to identify key areas to focus on. Any systems that hold sensitive personal information
should be a priority.
5. Identify external sources and experts that can help you
The GDPR has spawned a range of consultancies, conferences, guides and other support to help you to comply. Identify whether any of these can benefit you.
Sometimes, a little external expertise can make all the difference in setting and achieving your objectives.
6. Write a clear action plan
With time limited, you need clear actions and responsibilities. If you have a DPO, whether in-house or outsourced, they can help you to build an action plan. Set
SMART goals with clear deadlines to help you break down and tackle the GDPR challenge.
7. Make sure everyone is on board
The need for GDPR compliance needs to be stressed from the top of your organisation. Ensure your senior management get behind creating a culture where
good behaviours are embedded. Meeting the GDPR requirements is not optional, and the penalties are severe.
If any firm is deemed to be in serious breach, they face potential fines of up to €20 million or 4% of the firm’s global revenue.
8. Get your internal communications sorted
Make sure anyone who will be affected receives clear guidance on what they need to do.
9. Prepare for a grilling by the Data Protection Commissioner
If asked, could you explain:
- Where you hold your clients’ and contacts’ data
- How it is accessed, and by whom
- How it is shared, both within and outside your organisation
- How you enable people’s personal information to ‘be forgotten’
You need to understand and be able to evidence the way you are addressing the regulation’s demands.
10. Understand your obligations if there's a data protection breach
Under GDPR, all companies and organisations will have just 72 hours to notify data subjects of a breach – or may be fined. Are you confident that your
processes enable you to identify and report on a breach within these timescales?
The GDPR is just the latest in a long line of regulations affecting Marketing teams. Hopefully these 10 tips will help you build a plan to tackle its requirements.
For more tips and hints for compliant financial promotions, you can download our Marketing Guide to Compliance. It covers nine key areas that marketing
needs to know about financial promotions and compliance and you can read a copy here.