In our previous blog, under the terms of GDPR, all organisations that offer services or products to customers who are EU citizens are mandated to look after their personal data. GDPR defines the lawful grounds for data processing:
We believe that there is a lot of hype, confusion and frankly misinformation out there. GDPR compliance may seem a daunting task, but lots of the scare stories are not true, and we suggest a 5 point GDPR plan to give your business the best chance of GDPR compliance and you can find more information at the Information Commission Office’s website
A Data Protection Officer (DPO) is the individual within your organisation who is responsible for monitoring compliance to GDPR. This could be an existing employee within your business, a new hire or it can be outsourced. The reality is that unless your business is processing large quantities of personal data, an existing employee, suitably trained, would be satisfactory.
Audit all data use within your business and identify all of your data processors. Classify them as first and third-party data processors and for each data processor detail:
Check the respective privacy policies of all your identified third-party data processors and ascertain that they are GDPR compliant; the ones based in the US should be Privacy Shield compliant. If they are non-compliant contact them, consider replacing them with a similar provider who is compliant.
Remember, under GDPR, the data is your liability, so unless you really need to keep the data you should consider deleting it.
Organisations wishing to conduct outbound marketing campaigns such as email or mailshots may find gathering consent extremely difficult, just from a logistical perspective. In this instance businesses should conduct a “Legitimate Interest Assessment”. This can be used to demonstrate that the processing is necessary.
This assessment includes a “Balancing Test” to establish whether your business interests outweigh that of the data subject or not.
Although this might seem to weigh against having a legitimate interest, this is a subjective test and can be done by your Data Protection Officer. The assessment as to whether a data subject would have a legitimate interest in your products/services needs to be formally documented to prove to relevant authorities that a subject’s data rights had been properly considered.
During the audit, any data risks associated with your website will become apparent. These might be third party data processors, forms on ‘contact us’ pages, contact forms on landing pages, newsletter sign up forms or pop-ups. Consider how these data gathering processes might affect an individual’s privacy and tighten up the process. This might be as simple as adding a tick box to confirm consent.
GDPR, with its eye-watering fines, might appear to be a sledgehammer to crack a nut. However, it’s worth considering the motivation behind GDPR. GDPR’s key objective is to protect individuals’ data being misused.
Sadly, GDPR will not stop spammers, however, it does mean that legitimate businesses with a genuine need to hold and process data in order to communicate with their customers will need to do it responsibly.
GDPR will help reduce unsolicited and badly managed digital marketing, and businesses who can prove they have a GDPR plan and have taken all the necessary steps to safeguard stored and processed data that can be attributed to an individual should have nothing to fear.
Please note… whilst we’re ready for GDPR, and are confident it’s a good thing for marketers and consumers alike, we’re not lawyers and this blog does not constitute legal advice. The ICO continues to produce GDPR guidance so keep an eye on their webpage for updates.