The General Data Protection Regulation will impact all businesses, particularly in the way marketing communications are sent to customers and how we look after our data. Failure to comply with the new rules will result in businesses being fined 20 million euros or four percent of the global annual revenue, whichever is the greater amount.
In this article, I will provide clarity on some of the key questions about GDPR and share my tips to help you and your business get ready for the May 2018 deadline.
What can I do now to ensure my business will be GDPR ready?
The General Data Protection Regulation is designed to harmonise the way businesses are storing, archiving and disposing of their data, so a good place to start on the journey to GDPR compliance is with data cleansing. You need to gain a good understanding of what data you hold, why you have it, what you intend to do with it, how you’re keeping it and how you discard it. There are a few ways to do this – you can either do it yourself in-house or there are companies that will help you. Once you know what data you have, things will start to become a lot clearer.
A key part of GDPR, which is often overlooked, is the updating of policies and procedures; you need to update these to be in line with the new regulation, but it’s also a way of proving your business has made the necessary changes to become compliant. All your documentation and audit logs are essential to prove compliance – without carrying out the necessary paperwork your business risks failing to meet expected standards and incurring a fine of 20 million euros or four percent of the annual revenue.
By making it easier for people to withdraw from my marketing, am I going to lose my database?
The new regulation states that you must make your withdrawal process clear; it needs to be as easy to withdraw consent as it is to give it – this doesn’t necessarily mean you’re going to lose your customers, it just means you’re being more upfront and clear about your processes.
Under the legislation, data subjects now also have the Right to Erasure and the Right of Access. The Right to Erasure applies when data is no longer necessary in relation to its original purpose or when the individual withdraws their consent. There are certain restrictions to this that will prevent a person to their Right of Erasure.
Right of Access is the right that individuals have to obtain certain information, for example, access to the personal data you hold of them, or confirmation that their data is being processed. In this case you must provide a copy of the information free of charge.
Will GDPR affect my existing data?
The regulation will impact the way you market to your existing data but it won’t have a direct impact to that data. The law affects the things that surround your data such as how you’re handling and protecting it.
All businesses will be impacted by the basics of GDPR and will have to adjust their business policies and processes in order to become compliant. By starting now and giving yourself plenty of time to adjust you can become compliant with minimal disruption to your business.
Early Preparation is Key
Following these steps will help you get started with the basics of GDPR, and they can be taken now. It’s important that you take the time to properly look through your own policies and procedures, and make the necessary amendments as these can be called upon for inspection at any time.
GDPR isn’t something that can be done overnight but email marketing is a great place to start as it forces you to sort your data and add in the necessary legal requirements of double opt-in marketing. There are dedicated websites to guide you through the process, or you could speak to an agency for guidance.