GDPR: A 10-step action plan
As we wind up another whirlwind year in data-driven marketing, one thing is abundantly clear: The consumer is more in charge than ever before. Data privacy and how brands are protecting consumer data is now in the spotlight, and amid the many buzzwords of 2017, one has had a curiously low profile among marketers.
The European Union’s General Data Protection Regulation (GDPR) represents sweeping new legislation designed to protect data rights of EU residents. It affects every organization that interacts with an EU resident in any way, wherever that organization may be. Enforcement starts May 25, 2018, and fines for failure to be in GDPR compliance can be severe: 20 million euros or up to 4 percent of global revenues, whichever is greater.
In short, this is a big deal, and what’s alarming is that few organizations have taken the steps necessary to achieve compliance. And failure to be in compliance is clearly going to create significant and ongoing risk.
While some organizations have appointed data protection officers or tasked CIOs or CTOs to manage the implications of GDPR, many others are still finding their way. Marketers, in particular, need to educate themselves on GDPR and take action to ensure they’re compliant in the ways they collect, manage, process and share information.
By law, data subjects (defined as any EU resident) do not relinquish their rights to their personal data and can request this of any organization they have interacted with.
While every organization needs proper consultation and legal advice on the matter, here are 10 things to do and consider as a framework for GDPR compliance to give you a head start on your own efforts, or to compare to the work you’ve already undertaken.
1. Raise awareness/create alignment
Many different people and teams touch an organization’s data. It’s important to ensure that decision-makers and key members of the organization are aware that the law is changing and that they appropriately anticipate the impact and potential risks of GDPR. There are webinars, events, and even entire conferences devoted to this topic in the US and globally, so, at this point, there’s no excuse for not getting educated.
I recommend bringing in some outside expertise, and ultimately, legal teams will need to be involved each step of the way.
2. Information mapping and data audit
Document and understand at a granular level what personal data is held, where it came from, how it was collected and with whom and how it is shared. Identify all sources of data and all types of data relationships (e.g., third-party tools and tags on sites). This can be a big task, so you may want to consider undertaking a formal information audit. Questions to be asked may include:
- Who are our data subjects? Who has access to sensitive data?
- Where do we keep their personal data? Where do we transfer personal data to?
- Why is personal data under our control (for what legitimate purpose)? Why do we share it with third parties? Do third parties share it with other entities? If so, who, how many and to what purpose?
- When are we keeping personal data until? When do we share personal data with others?
- What mechanisms do we have in place to safeguard personal data?
- How is data being processed? How long should it be kept?
3. Notices & privacy communications
Do a full review of current privacy notices and ensure that these will align with requirements under GDPR before it takes effect. Notices must:
- indicate the processing activities occurring at the time personal data is collected.
- inform what processing activities are occurring if personal data has not been obtained directly.
- be present at all points where personal data is collected.
- at a minimum, touch on the following points:
- The identity of the controller and of the data protection officer.
- Conservation period (how long data will be kept).
- The right of access, rectification, restriction and objection.
- Right to lodge a complaint.
- Recipients and transfers of data.
- State the right to withdraw consent at any time.
- Explain the legitimate interest of the controller or of a third party (if relevant) in the collection of the data.
4. Individual rights
Under GDPR, the rights of data subjects are greatly expanded and persistent. Organizations must be able to demonstrate that they can respond to a data subject’s personal data request, and generally, this must be done within 30 days. Compliance will require that organizations are able to demonstrate that they can:
- validate the identity of the requesting data subject.
- enable data subject to request access to their personal data.
- respond to requests for personal data access.
- trace and search for a data subject’s personal data and deliver this within 30 days.
- request rectification and rectify personal data.
- request the erasure of a data subject’s personal data.
- know which additional controllers personal data has been transferred to.
- in the event of data breach, contact those entities for data erasure.
- request the restriction of data processing and demonstrate when this is done.
- request copies and transmit personal data (portability requests).
- locate personal data and export in structured, machine-readable formats.
- if processing for direct marketing, provide a mechanism to object.
- discontinue data processing and demonstrate compliance.
5. Legal basis for processing
Organizations are required to review their data processing activities and identify and document the legal basis for each type. They must ensure that:
- no personal data is collected beyond the minimum necessary for each specific purpose of the processing.
- no personal data is retained beyond the minimum necessary for each specific purpose of the processing.
- no personal data is processed for purposes other than those for which they were collected.
- no personal data is disseminated to non-public third parties for purposes other than those for which they were collected.
- no personal data is sold.
When data processing is likely to result in a high risk to the rights and freedom of individuals, the organization must perform a Privacy Impact Assessment (PIA). This would include:
- a description of the processing.
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes.
- involvement of the data protection officer where one is designated.
6. Managing consent
A data subject never relinquishes their rights, so managing their consent becomes extremely important. You will need to ensure that consent is sought, obtained and recorded according to new guidelines, and that you are able to respond to inquiries regarding consent. At a minimum, you will need to:
- provide notification to data subjects, in clear and plain language.
- request and obtain the data subject’s affirmative and detailed consent.
- discontinue processing activities if the data subject denies consent.
- provide a mechanism for data subjects to withdraw consent.
- obtain affirmative consent from a child’s (under age of 16) parent or guardian.
7. Data security & breaches
Always in the news, and generally not good news at that, data breaches create reputational, legal, financial and many other types of risk for organizations. Not surprisingly, data security is well addressed in GDPR and requires that appropriate procedures are in place to detect, report and investigate data breaches. This includes:
- providing mechanism(s) to pseudonymize, encrypt or otherwise secure personal data.
- implementing security measures.
- confirming ongoing confidentiality, integrity and availability of personal data.
- providing mechanisms to restore the availability and access to personal data.
- facilitating regular testing of security measures.
- notifying the data protection authority within 72 hours in the event of a data breach incident.
- notifying affected data subjects of a high-risk data breach incident.
8. Privacy by design and default
Privacy by design requires that all consumer interactions and touch points have privacy designed right into them and that their default mode is one of compliance. This would require:
- processing activities have to be planned, designed and performed with data security and, more generally, compliance with the GDPR in mind.
- by default, only personal data which is necessary for each specific purpose of the processing should be processed.
- by default, personal data is not made accessible without the individual’s intervention to an indefinite number of individuals.
9. Data protection officer
Any organization that manages data as a “core activity” or does so on a large scale or uses data collected via tracking and monitoring tools will need to appoint a data protection officer. The DPO will need to ensure that they:
- maintain audit trails to demonstrate accountability and compliance.
- maintain an inventory of data detailing categories of data subjects.
- maintain auditable trails of processing activities.
- carry out data protection impact assessments of processing operations.
- monitor compliance with data protection laws.
- liaise and assist supervisory authorities.
10. Data transfers
Ensure that the data you’re collecting can be easily transferred or given back to consumers. Remember, they can ask you to return their personal data at any time. This means having the ability to provide data:
- in a structured and commonly used, machine-readable format (e.g., CSV).
- in a way that can easily be transferred to another data controller (this is known as “data portability”).
Basically, organizations need to be able to support this data transfer and give customers the ability to receive their personal data in a legible, common format.
Where to start?
While all of this is important (critical), if you want to kickstart your efforts, a good place to start is with information mapping and a data audit (#2 above). Not only will this help with GDPR compliance, it will also enable you to better understand your customers and make smarter choices when planning and allocating your 2018 budgets.
Technology has a role to play as well. Tag managers, customer data platforms and more have built-in solutions to help with GDPR compliance, and with the right guidance on data management and information mapping, organizations can find themselves not just compliant with GDPR but also better positioned to personalize their marketing activities for better ROI.
For marketers who get informed and educated about the GDPR, and take the necessary steps to achieve compliance, there’s a world of opportunity in these efforts. The consumer — not content — is king in this new era of data privacy, and getting out in front of this development has the potential to be rewarding.