When the General Data Protection Regulation (GDPR) is enforced, there will be widespread changes to the way organisations are run. In particular, the marketing sector will face drastic upheaval – or what Graham Temple, the chairman of The Institute of Promotional Marketing, called “a seismic shift in [its] remit and responsibility”.
From 25 May 2018, when the Regulation will be applied, all personally identifiable data will need to be audited against the Regulation’s standards. Here is a brief overview of the steps marketers should be taking in preparation for the GDPR.
Get “explicit consent”
The GDPR’s consent requirements mean that organisations will now not only need to get consent from individuals to process personal data, but “explicit consent”. Unless an organisation has any other lawful grounds for processing data, it will need individuals to perform a deliberate action to opt in.
While consent in email marketing has long been an ambiguous topic, the GDPR is clear that marketers will only be able to contact EU residents who have given explicit consent to do so. This means that marketers will no longer be able to send unsolicited emails.
Organisations based outside the EU only need to abide by the GDPR in relation to data collected from EU residents. Such companies should audit their database to check who the Regulation applies to. As Matthew Hayhow of Software Advisory Service writes, there are three main ways that this audit can be done:
- Manually search for EU suffixes in subscriber profiles
- Use email service provider (ESP) technology to create approaches to remove EU addresses
- Generate opt-in subscriber information based on physical location data
Ensure data is accessible
Individuals’ personal data and records of their consent must be accessible in case of review or change. Information must only be held if it is relevant and required for the purposes that the customer has agreed to.
If a customer invokes their right to know what personal data of theirs is being held or their ‘right to be forgotten’, the organisation must be able to access or remove the data promptly.
Ensure data is secure
Companies that store personal data have a duty to make sure it is kept accurate and safe. Not only is this an obligation to customers, it is, as Matthew Hayhow writes, good business practice given that “nowadays consumers are very safety conscious about who stores their information. You can gain more business if you can assuage these fears.”
This can be done, Hayhow writes, by educating customers about how their data is being treated and by building a sense of trust with shoppers.
Appoint a DPO
Marketing activities will often fall under the GDPR’s definition of when an organisation needs to appoint a data protection officer (DPO).
Under Article 37 of the GDPR, a data protection officer (DPO) must be appointed for all public authorities and where the core activities of the data controller or processor involve “regular and systematic monitoring of data subjects on a large scale”, or where the entity conducts large-scale processing of “special categories of personal data” (such as data on racial or ethnic origin, political opinions, religious or philosophical beliefs, etc.).
The DPO’s tasks are outlined in Article 39 of the Regulation.
For more advice on preparing for the Regulation, read EU GDPR – A Pocket Guide. Written by Alan Calder, IT Governance’s founder and executive chairman, this guide provides an overview of the new regulation and the compliance obligations for handling data.
IT Governance also offers training courses to help organisations learn how the GDPR will affect them. Learn more about our EU GDPR training courses >>