What Is GDPR And How It Will Affect Marketers
For web users and consumers, personal data acts as currency – sharing it gives access to numerous services and content. For marketers, data is key to running successful campaigns; it helps us recognise site visitors, target the right people with the right content and much more. And, crucially, it’s our responsibility to use and store the data we’re given responsibly.
However, the legislation around data use is changing – from 25th May 2018 the General Data Protection Regulation (GDPR) will be enforced across the EU. But what does this actually mean? How will it impact the way we all – marketers and consumers alike – consider data? And what can organisations do now to prepare for next year’s changes?
What does the GDPR mean for marketers?
Where marketing is concerned, this completely changes the way we think about handling data. Direct marketers will need to demonstrate how their organization meets the lawful conditions. If an organization cannot prove how they have obtained consent the likelihood is that they will be fined. Marketers must align themselves with the GDPR principles.
The collection of data needs to be relevant for the purpose. This means if you have run a campaign or competition you can only use the information for that purpose. Creating another purpose to use that information will need further consent from the data subject. This is bad news for marketing as a common practice has been to grow databases using these methods. In terms of marketing databases these will need to be cleansed and reviewed to ensure your organization can identify if consent has been granted lawfully and fairly, whether it is being used for explicit and legitimate purposes, what data has been collected, and the accuracy of that information.
Tips To Prepare For GDPR
With less than a year to go until GDPR is mandatory, what must organisations (who process personal data) do to prepare and transition
- Raise internal awareness. Make sure that key stakeholders and decision makers in your organisation are aware of the upcoming changes, deadlines and implications of GDPR.
- Audit and document your data. Know what personal data your organisation holds/processes, identify where it came from and who you share it with.
- Review privacy communications. Review current privacy notices and set plans for any required changes.
- Account for individual’s rights. Make sure you have procedures in place that address all the rights that individuals have, from how you would delete personal data to providing data electronically if requested.
- Identify your legal basis for processing personal data. Review the types of data processing you conduct, identify your legal basis for doing so – and document it.
- Subject access requests. Update your procedures and identify how you will handle requests in future.
- Put contingency plans in place. You need to be prepared to detect, manage and report on and investigate any personal data breaches.
- Consider how you obtain consent. How do you currently obtain and record consent? Do you need to amend any processes?
- Consider age verification as well as consent. Systems must be established to verify individual’s ages and to gain parental/guardian’s consent for data processing where children are concerned.
- Assign a Data Protection Officer. Companies who process vast quantities of personal data, or process large scale ‘special categories’ of data (sensitive data, such as race or religion) must designate a DPO to take responsibilities for data protection compliance.
- Consider international implications. If you’re part of an international organisation, determine which data protection supervisory authority you fall under.
- Data Protection Impact Assessments. Make sure your organisation is familiar with ICO guidance on Privacy Impact Assessments and plan how to implement them