General Data Protection Regulation is a new law that went into effect in May that aims to protect the privacy of European Union citizens. It replaces the EU’s outdated data protection laws, last updated in 1995, which didn’t account for technologies such as cookie-less tracking, big data and mobile-device tracking.
Below are seven actions organizations that are storing personal data of EU or United Kingdom citizens – or are considering doing so – should take to ensure GDPR compliance.
• Step 1: Conduct an inventory of your company’s data-processing of contacts in the EU and UK. Have your EU and UK contacts provided consent to have their data stored by your company? If not, you’ll need a communication plan to request consent from these contacts.
• Step 2: Organize your data. If your company is ever investigated by GDPR regulators, you will need to demonstrate understanding of exactly what personal data your company stores. Create a process that allows you to easily supply an individual’s personal data if he or she asks for it. Get rid of any personal data you’re storing unnecessarily.
• Step 3: Update your privacy policy. It should clearly explain what data you’re storing from your contacts, how and why you’re collecting it, and how you’ll be using it.
• Step 4: Put a process in place so if someone asks you to delete their data, you can. Data may be stored in hard copies, in your email contacts, and other places in addition to a centralized customer relationship management system. Having a process in place ensures you wipe data from all possible storage sources. If you receive a request to delete an individual’s data, you have 30 days to respond to the request and confirm the data has been erased. This includes confirming that any third parties your company has shared the data with (e.g. Facebook for advertising) have also erased the data from their environments.
• Step 5: Create “clear affirmative actions,” or opt-ins, communicating use of cookies, email marketing and any other marketing activities. Allow all users to take a “clear affirmative action” to consent to having their data used for marketing purposes. There are three areas we’re recommending our clients update with affirmative actions:
If your website uses tags or codes (cookies) from third-party advertising services, such as Google, to measure advertising results or remarket to visitors to your website, your website must now have a consent message on it that discloses what data is being collected and for what purpose. Even if you do not do business in the EU or UK, residents of those geographies may find their way to your website, so your company must have compliant consent measures.
If you send email campaigns of any kind to your contact database, we strongly encourage sending an email to all EU and UK contacts in your database about the changes your company has made to align with GDPR. This should include a call to action, in which recipients can reaffirm their consent to receiving email communications from your company.
GDPR explicitly prohibits the use of pre-checked consent or permission requests. Users must actively opt in to provide consent by taking an action such as checking a box, clicking a call-to-action button, or replying to an email to confirm they’ve opted in.
• Step 6: Verify that third parties your company partners with are GDPR compliant. This includes companies that provide commercial data or insights to your business, such as a company you would purchase a mailing list from. Under GDPR, the data processes the third party uses must be compliant with the law.
• Step 7: Create and deliver a communication plan to your employees regarding the new processes you put in place to comply with GDPR.
To ensure compliance, data protection should be the entire team’s responsibility.
Rhea Wharton is a marketing manager at TribalVision LLC in Warwick.