With the General Data Protection Regulation coming into force on 25 May, it’s fair to say the new rules are a major focus for marketing teams.
For many of us, the challenge has been clarifying exactly what’s needed, and putting in place actions to tackle the new requirements.
It’s been predicted that the GDPR will be the next PPI scandal, driven by claims firms wanting to cash in as PPI comes to an end.
It’s also been claimed that it will be a bigger compliance challenge than another of the year’s big headlines, MiFID II.
With the scale of the task in mind, we look at five of the steps you should take before the new regulation comes into force.
- Get to grips with your data
Doing a data audit is one of the first steps in GDPR compliance.
John Mitchison, director of policy and compliance at the DMA, quoted in a Marketing Week article, says ‘This kind of data audit is often a bit of an eye-opener to organisations because there are always third parties, legacy systems or bits of data whizzing around that not everybody knows about.’
If you work in a professional services environment, in particular, it’s likely that not all your data is held by the Marketing team, or on a central system.
Consultants, lawyers and other client-facing advisers often keep their own lists of contacts, outside of your CRM. (If this is the case, it may be a sign that your financial promotions are out of control).
You need to capture any touchpoints where personal information is gathered to make sure they are all compliant with the new rules.
- Know your ‘lawful bases’
Businesses need to decide which of the GDPR’s ‘lawful bases’ they will use to process data.
One of the common myths about GDPR is that data processing all hinges on ‘consent’. But while consent is one of the lawful bases for businesses and organisations to process personal information, there are five other ways of processing data that may be more appropriate for your organisation.
Mitchison, in the article, says that in fact, ‘legitimate interests’ should be firms’ first choice of basis, with consent only used if you decide you can’t use legitimate interests.
Using legitimate interests as your reason for processing data requires that you have an existing relationship with the person in question, and can be reasonably expected to carry out the type of data processing you plan. They don’t need to be a customer – but do need to have an existing relationship with your firm.
There are some rules around this. For instance, the data processing you plan to do needs to be necessary – in other words, there is no less intrusive way to achieve the same ends. And you need to tell the individuals in question, when you collect their data, how you plan to process it.
- Get consent right
If you do use consent as your lawful basis for processing data, the way you capture it needs to meet GDPR standards on opt-in.
Steffan Aquarone, trainer at Econsultancy, says in the Marketing Week article that there are two areas you should focus on: ‘The specific places you should be thinking about are the consent on your website upon loading and the consent on any forms, including those that people fill in in the real world.’
Get your online privacy policy and data-capture forms right, and you’ll ensure any data you capture from now on meets the new rules.
This means making any opt in ‘freely given, specific, informed and unambiguous’.
For many firms, this requires an upgrade around the way you capture data and inform people how you plan to use it. Failure to opt out can no longer be taken as consent for data processing; proactive opt-ins are needed.
If your existing data capture methods don’t match up to the new standards, look at how best to contact existing clients and prospects to reconfirm their consent.
- Be careful around consumer profiling
You can data-profile your contacts under the legitimate interests or consent legal bases. For instance, segmenting them according to age, geography, or previous purchases or areas of interest.
You will need to be more cautious if you want to capture and segment data on more sensitive areas – income, for instance.
While you could argue that this type of profiling helps you comply with FCA requirements – around suitability, for instance – it may not pass the ‘legitimate interests’ test, and may need specific consent to make it compliant.
And as with broader data processing, the consumer has to be able to opt out of this type of profiling at any time.
- Create a clear policy around data breaches
Reporting data breaches is a key element of the new rules. The GDPR makes it compulsory to report a personal data breach if it’s likely to result in a risk to people’s rights and freedoms.
This represents a new obligation in the UK. Under current data protection law, it is best practice but not mandatory to report most personal data breaches.
If there’s a ‘high risk’ to people’s rights and freedoms, organisations also need to report the breach to the people concerned.
What constitutes a high risk? The ICO suggests that high-risk situations are likely to be those where there’s potential for people to suffer ‘significant detrimental effect’. The examples they give of this are ‘discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage’.
The GDPR requires organisations to report a personal data breach that affects people’s rights and freedoms ‘without undue delay’. This means, where feasible, no later than 72 hours after the organisation becomes aware of it.
The ICO suggests that firms should ensure they have the roles, responsibilities and processes in place for reporting breaches. This is particularly important if you are a medium to large organisation with multiple sites or business lines, and is likely to require a large amount of work for many firms.
If you’re already regulated by the FCA, the regulator’s strict rules on record-keeping should give you a head start here – but there will still be steps you need to take to be GDPR compliant.
There’s no doubt that the GDPR represents a huge amount of work for most marketing teams. These five challenges represent some of the areas you should focus on. But of course, the GDPR is just one of the rules you need to comply with.
About us
At LS Consultancy, we offer a complete solution with a range of cost effective, regulatory compliance and marketing products and solutions including copy advice that are uniquely suited to supporting firms.