The General Data Protection Regulation (GDPR) is the most significant and comprehensive reform to data protection, privacy and security in the EU for in the last 20 years. It harmonises data privacy and protection across the EU, simplifying and standardising regulatory requirements across states, as well as give EU-based individuals complete control over their data.
What information does GDPR apply to?
GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified – says the Information Commissioner’s Office (ICO).
It also applies to ‘sensitive personal data’ which are special categories of personal data – more detail regarding these categories can be found here.
Who does the GDPR apply to?
GDPR applies to organisations within or outside the EU that either control or process the personal data of individuals within the EU. A ‘controller’ determines the purpose sand means of processing personal data, whereas a ‘processor’ is responsible for processing personal data on behalf of a controller.
So, how can businesses lay the foundation for achieving GDPR compliance?
Establish a legal basis for processing
Businesses must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing. No single basis is better or more important, but the basis a business chooses will depend on how appropriate it is in relation to their activity. Businesses will no doubt already have a basis for processing – but with the GDPR in effect, it may be necessary to re-evaluate the current approach. The six bases for processing are:
- Legal obligation
- Vital interests
- Public task
- Legitimate interest
The lawful basis will also affect which rights are available to individuals, more detail on this can be found here.
Before we go into what businesses need to cover to lay the foundation for good GDPR compliance, it’s important to first spread awareness of it (although everyone in business should be aware of the GDPR by now).
C-suite and senior business executives need to explain to everyone else within the business the importance of GDPR and the implications of noncompliance if they are to get buy in. GDPR needs to be driven from the top down, if the c-suite and senior executives lead by example, showing the importance of compliance and helping others in the process, it will be much easier to get everyone on board.
In addition to doing the above, businesses need to:
1. Evaluate data sources
For businesses to achieve GDPR compliance, they need to first evaluate their data sources and investigate and audit what personal data is being stored and used across marketing activities. Under GDPR, it’s important to have a clear understanding of what data is being processed and where it is kept for auditing purposes – more on that later – without that knowledge, it will be difficult to ensure compliance.
2. Identify data types
Businesses need to know what data is buried in your business’ database or CRM. Personal data – names, email addresses, phone number – businesses need to be able to readily filter results to find personal information, as well as have a system in place to catalogue and categorise data as necessary. If businesses are able to compile their data in a structured and clear format, it will be much easier when it comes to maintaining its quality and consistency.
3. Manage data regularly
Under GDPR, data needs to be accurate and kept up-to-date – but kept only for as long as necessary. On that basis, businesses must ensure that they manage data correctly, review it regularly, and delete any unnecessary data.
4. Protect the data
Being able to protect the data is crucial. Data breaches under GDPR can go up to 20 million Euros or 4% of annual global turnover, depending on which is highest.
Privacy by design should be a core component in protecting customer data. While businesses should be deleting unnecessary data regularly (which will help in the process of keeping information protected) they should also encrypt their data and anonymise it. Data should only be accessible to those within the business with the right level of authorisation.
5. Have a clear trail of compliance
For auditing purposes, businesses need to be able to prove their process to GDPR compliance – this means being able to produce reports that show regulators that they know where their data is stored, they know what data is stored, they can prove that they delete and maintain the data on a regular basis, and are able to protect it.
GDPR is an opportunity
Instead of looking at GDPR as a compliance burden, businesses need to see it as an opportunity to refine their marketing activities – even if that means overhauling existing processes and going back to the drawing board!
A fresh start – a reset, so to speak – can have tremendous benefits. Businesses can lay the foundation for achieving GDPR compliance, allowing them to marketer around the consumer and have their privacy as the foremost concern.
It’s also a chance to re-evaluate the marketing mix from a GDPR perspective – this way businesses can determine which channels will be most effective for lead generation in a post-GDPR world, helping in the process of achieving GDPR compliance. Many businesses are in the process of shifting their activities to focus on different channels within the marketing mix, and one channel that has had something of a revitalisation is direct mail marketing.
Under GDPR, direct mail marketing does not require consent, according the ICO and Royal Mail, so businesses can use the legal basis of ‘legitimate interest’ instead when emailing potential prospects. If you want to find out more about how direct mail marketing can be utilised by your business, click here.
To find out more about the value of print mail and how you can use it in a post-GDPR world, please download our free eBook.