GDPR Compliance – The nightmare after Xmas

GDPR COMPLIANCE THE NIGHTMARE AFTER XMAS

GDPR is coming soon, only one Christmas to go

If anyone ever bothers with an annual PEST analysis outside of school. GDPR compliance is the most PEST of all PEST analysis in recent years.

If I was Robocop I’d be telling you (at the time of writing) you’ve got 132 days to comply. In reality, you’ve got until 25 May 2018 comply. Which seems like ages away, but as Ferris Bueller said – time moves pretty fast… its going to be upon you before you know it.

To prove our point, here’s what a typical marketers calendar looks like between now and May 2018.

The potential marketing calendar for Marketers in the months ahead

Nov – Xmas, Black Friday, cyber Monday

Dec – Xmas Xmas Xmas, Sale

Jan – Sale

Feb – Valentines

March – Easter

April / May – GDPR compliance. Shit.

You see GDPR, is not only a bloody awful acronym, it’s also a bloody hard piece of legislation to deal with. Trust me on that, we’ve been following this for an age, and pardon our European, but you simply can’t afford to f**k this up. If you do you are going to have a nightmare.

 

So what’s this GDPR compliance stuff then?

GDPR is the long overdue update to the existing data protection laws across Europe. It’s going to impact everyone, that’s you at home as well as at work.

The focus is on privacy and transparency of the data you collect from your customers/audience. You will need to be transparent with your audience about what data you collect and how you use that information.

You are going to prove you have consent from your audience to collect, process and manage their data, and people will also have the right to be forgotten.

And the definition of personal data has been expanded to include cookies as well as the normal name, address, telephone, email and demographic data you may collect.

So quite a bit is going to change.

 

How to prepare for the post GDPR world (a two minute guide)

Sorry to add to your burden but here are some of the things you needs to know.

Are you a data controller or a data processor.

This is a key question, but what’s the difference? If you are a data controller you are controlling the data within your business. However, you may outsource some data controller responsibilities, for example email marketing or hosting of your website to your marketing agency, in both of those cases you are going to make sure that the outsourced providers you use are going to be compliant, you are also going to need to make sure that’s clear in your privacy policy.

As a data controller, you are bound to use data processing providers – such as our very own Websand. So you need to make sure that these providers are also compliant. BTW it’s not just marketing, it’s also going to payroll and other systems within your business that handle personal data.

 

Get the Consent

Let’s look at this in stages as it’s super important.
1. You need to make sure that you update your privacy policies and terms and conditions related to the personal data you hold, and GDPR. You’re going to have to make sure that your policies make it very clear what you are going to do with the data you collect.
2. Once you’ve got that bit clear, you are going to need to get the consent of folk as they sign up. If they don’t agree then you can’t sign them up.
3. The existing folk in your data also count, you are going to need them to agree to the update in your terms and conditions to prove that consent.
4. Once you’ve got the consent, then you simply need to follow the guidelines you’ve already set out in your policies and procedures.

 

Understand what you’ve got.  The handling of the personal data

The personal data you collect originates from someone, and they can demand to be removed from ‘your data’ if they wish – that sounds a hell of a lot easier than it actually is.

So as well as handling all the ‘proof of consent’ you also need to be able to handle that.

A data audit is a very good idea, especially to determine the ‘hidden’ data processors within your business.

 

data journey
Here’s a fine model to follow from the good people at audiencedatasharing.org

 

How your business handles things.

As you may have gathered this changes could be significant for quite a few businesses, especially companies that don’t usually rely on concept or are handling a lot of personal or sensitive data.

For some data processing providers – that offer ‘magic’ for marketers, such as remarketing, they will need to gather consent. Once the audience knows how the magic works, they tend to lose interest, so these providers could have some significant hurdles to cross.

Depending upon the size of your business (and what you do), you may need to create the position of ‘data protection officer’. They would responsible to ensure that you operate within the new GDPR guidelines and manage you compliance. However, even if you don’t need a someone within your business needs to be assigned responsibility for your GDPR compliance.

 

Brexit?

It seems to be one of the only things that has been agreed. It’s already under process and the timetable across Europe has been set.

One key thing to note is that if you are operating across the EU from the UK, you should explore a thing called ‘lead data protection authority’. Basically who is taking the lead.

 

20 million reasons to get this right

And if you get this wrong, the fines have increased substantially. From 25 May 2018, the maximum fine that can be enforced to €20 million or 4% of global turnover. I think a prime example of where these types of fines would be applied would be the recent Uber hack.  That being said, the ICO have advised that it will be ‘business as usual’.  They’ve said they aren’t looking to make examples of businesses.  However, they do have extra power, so best to be prepared.

 

A finally a word of caution.

The summary above is a guide (October 2017, things are changing all the time on this as many grey areas are still to be formalised).

Rather a lot of noise is being generated around GDPR, it’s a massive and complicated change so you need to get the best advise.

We are keeping our blog up to date and we are on the way to GDRP accreditation.  So we are doing our best.  However, but the best source of information is the ICO website after all they are going to be enforcing the legislation.

So as you can see, there may be trouble ahead. However, it’s time to get your plans in place now, and safeguard against the potential nightmare after Xmas.

If you’d like to know more about how we can help you get ready for a post GDPR world, please click here.

 


Also published on Medium.