It seems one of the more popular topics of conversation in many marketing circles is GDPR. So we thought it might be helpful to put together a quick action guide to make sure you’re ready to go for the 25th of May when it all kicks in.
Great – so what do I need to do?
First, you need to map any personal data that flows into and out of your organisation and conduct a GAP analysis.
Though there is a lot of hype around this, they are still dotting the I’s and crossing the T’s in terms of the details. The general position, however, is that we are all liable for the personal data we handle and use.
E.g. If we’re supplied data by a client and we send out an email to this list, and the data is inaccurate or not as clean as it should be, it’s on us as well as them.
There are 2 clearly defined roles in this – the data controller and the data processor. They are different but you can be classed as both. Without going into detail, the controller has the responsibility of knowing about the data: where it’s housed, where it’s sourced etc. And the data processor? Well, they process it.
You need to clean up or bin your databases and make sure you’re putting the right steps in place if you manage or distribute data. If you don’t, expect to see an explosion of legal suits in the same vein as whiplash and PPI claims.
If you handle any personal data as a public authority, or you monitor individuals at scale or process certain categories of data (you can find these with a quick google), you need to have a Data Protection Officer and get them trained up.
(Note, they can’t be in a senior position as the DPO duties are likely to conflict with their roles.)
Look at where you’re housing or storing data and make sure that it is secure and in the right country.
If questioned, can you demonstrate a responsible level of security?
Don’t store any data that you don’t really need.
At its heart, GDPR is to protect individual privacy and personal data, however, if it’s a business email address and you can discern any personal data like someone’s name from this, i.e firstname.lastname@example.org, that could probably qualify.
Make sure your privacy policies etc. are all up to date and if you’re collecting data, make sure you’re doing it genuinely and in the right way.
And of course, make sure if you are using data, you can trace the opt-ins.
If you’re not sure your current mailing lists are going to cut the mustard, you might consider a pre-emptive strike and send a fresh, new compliant opt-in email, just to ensure you have everything buttoned down.