GDPR: A 10-step action plan

As we wind up another whirlwind year in data-driven marketing, one thing is abundantly clear: The consumer is more in charge than ever before. Data privacy and how brands are protecting consumer data is now in the spotlight, and amid the many buzzwords of 2017, one has had a curiously low profile among marketers.

The European Union’s General Data Privacy Regulation (GDPR) represents sweeping new legislation designed to protect data rights of EU residents. It affects every organization that interacts with an EU resident in any way, wherever that organization may be. Enforcement starts May 25, 2018, and fines for failure to be in GDPR compliance can be severe: 20 million euros or up to 4 percent of global revenues, whichever is greater.

In short, this is a big deal, and what’s alarming is that few organizations have taken the steps necessary to achieve compliance. And failure to be in compliance is clearly going to create significant and ongoing risk.

While some organizations have appointed data protection officers or tasked CIOs or CTOs to manage the implications of GDPR, many others are still finding their way. Marketers, in particular, need to educate themselves on GDPR and take action to ensure they’re compliant in the ways they collect, manage, process and share information.

By law, data subjects (defined as any EU resident) do not relinquish their rights to their personal data and can request this of any organization they have interacted with.

While every organization needs proper consultation and legal advice on the matter, here are 10 things to do and consider as a framework for GDPR compliance to give you a head start on your own efforts, or to compare to the work you’ve already undertaken.

1. Raise awareness/create alignment

Many different people and teams touch an organization’s data. It’s important to ensure that decision-makers and key members of the organization are aware that the law is changing and that they appropriately anticipate the impact and potential risks of GDPR. There are webinars, events, and even entire conferences devoted to this topic in the US and globally, so, at this point, there’s no excuse for not getting educated.

I recommend bringing in some outside expertise, and ultimately, legal teams will need to be involved each step of the way.

2. Information mapping and data audit

Document and understand at a granular level what personal data is held, where it came from, how it was collected and with whom and how it is shared. Identify all sources of data and all types of data relationships (e.g., third-party tools and tags on sites). This can be a big task, so you may want to consider undertaking a formal information audit. Questions to be asked may include:

All the latest martech developments, delivered directly to your inbox from MarTech Today!

3. Notices & privacy communications

Do a full review of current privacy notices and ensure that these will align with requirements under GDPR before it takes effect. Notices must:

4. Individual rights

Under GDPR, the rights of data subjects are greatly expanded and persistent. Organizations must be able to demonstrate that they can respond to a data subject’s personal data request, and generally, this must be done within 30 days. Compliance will require that organizations are able to demonstrate that they can:

5. Legal basis for processing

Organizations are required to review their data processing activities and identify and document the legal basis for each type. They must ensure that:

When data processing is likely to result in a high risk to the rights and freedom of individuals, the organization must perform a Privacy Impact Assessment (PIA). This would include:

6. Managing consent

A data subject never relinquishes their rights, so managing their consent becomes extremely important. You will need to ensure that consent is sought, obtained and recorded according to new guidelines, and that you are able to respond to inquiries regarding consent. At a minimum, you will need to:

7. Data security & breaches

Always in the news, and generally not good news at that, data breaches create reputational, legal, financial and many other types of risk for organizations. Not surprisingly, data security is well addressed in GDPR and requires that appropriate procedures are in place to detect, report and investigate data breaches. This includes:

8. Privacy by design and default

Privacy by design requires that all consumer interactions and touch points have privacy designed right into them and that their default mode is one of compliance. This would require:

9. Data protection officer

Any organization that manages data as a “core activity” or does so on a large scale or uses data collected via tracking and monitoring tools will need to appoint a data protection officer. The DPO will need to ensure that they:

10. Data transfers

Ensure that the data you’re collecting can be easily transferred or given back to consumers. Remember, they can ask you to return their personal data at any time. This means having the ability to provide data:

Basically, organizations need to be able to support this data transfer and give customers the ability to receive their personal data in a legible, common format.

Where to start?

While all of this is important (critical), if you want to kickstart your efforts, a good place to start is with information mapping and a data audit (#2 above). Not only will this help with GDPR compliance, it will also enable you to better understand your customers and make smarter choices when planning and allocating your 2018 budgets.

Technology has a role to play as well. Tag managers, customer data platforms and more have built-in solutions to help with GDPR compliance, and with the right guidance on data management and information mapping, organizations can find themselves not just compliant with GDPR but also better positioned to personalize their marketing activities for better ROI.

For marketers who get informed and educated about the GDPR, and take the necessary steps to achieve compliance, there’s a world of opportunity in these efforts. The consumer — not content — is king in this new era of data privacy, and getting out in front of this development has the potential to be rewarding.


About The Author

David Booth
David Booth is a co-founder and Partner at Cardinal Path, where he helps organizations use data and digital intelligence to gain competitive advantage in their markets. He is an author, adjunct professor, and public speaker, and as a consultant David has worked across five continents helping audiences ranging from C-level executives to technical implementation teams with digital analytics, business intelligence and digital marketing.