A quick guide to the GDPR

Aug 10, 2018 by
A quick guide to the GDPR

In the highly unlikely event that you hadn’t heard about it already, the GDPR has gone into effect. And if you are one of the many companies that will still have dealings with people of the EU after Brexit takes place, you’re going to have to know how to comply with it.

Don’t panic.

Considering the difficulties already being faced as a result of GDPR, we’ve put together this quick guide to get you through these changing times.

Customer rights

First, if you aren’t sure what your customers’ rights are, take a look at the GDPR site detailing Data Subjects rights. With that digested, there are few ways you can provide what’s required.

Run a data audit: Audit all personal information you’ve collected from EU citizens, including data harvested from cookies. Doing this, you’ll be able to figure out which data to keep and which to delete when customers contact you. So be sure to…

Draw up a new plan on how to garner consent: Unlike before, consent must be active, upfront, and not the ticking of a box to opt in or out of something. Make sure the data you are processing actually needs consent in the first place. If it does, you have to make a valid request of consent that, under Article 7(2), is “presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.” Essentially, when presenting new information to a client or customer, the consent email or page or talk has to have its own separate section without anything else to distract from it. It needs to be clear, nondisruptive (so no pop-ups), and easy to understand. Now that you have consent you need to…

Data protectionSet up a process to withdraw consent: Under Article 7(3) those you have harvested data from have the right to withdraw their consent at any time. You need to also let them know they have this right immediately prior to any said data harvesting. Withdrawing consent should be as easy as giving it, so a management tool, web interface, or phone call should be be enough. Keep it organized.

Appoint a Data Protection Officer: If data plays a large role in what your company and marketing does, you’re going to need a Data Protection Officer. Under the GDPR a DPO is someone who is essentially the voice of data privacy in your company. They act independently of your company, must posses a deep understanding of data privacy laws, be provided with the resources to do their job, and answer to the highest management of your company. They can be hired in-house, but contractors are also available to prevent conflict of interest. Failure to appoint one can levy a fine as high as €10m or 2% of annual global turnover (which also applies if there is a failure to comply to the above steps as well).

And if that isn’t good enough of a reason, having a DPO means you’ll have someone on hand at all times to help with compliance and help your company move forward with better understanding of a serious legal risk (the giving and taking of consent) that is only going to get more interesting in the coming years.

Keep calm

And above all else, don’t be worry that your business is about to blow up. Elizabeth Denham, UK’s information commissioner, has already stated that her office isn’t going to make examples of companies that don’t comply right away.

Having larger fines is useful but I think fundamentally what I’m saying is it’s scaremongering to suggest that we’re going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm.

She adds that her office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven’t made any effort.

So make the effort, and if you are still unsure what to do or how to do it, check out this 12 step PDF provided by the Information Commission Office. Good luck out there, marketers.