This is the second instalment in our GDPR series. Click here to read the first blog, and stay tuned for the final one coming soon.
GDPR will no doubt present some challenges for organisations as they ready their employees for the changes and attempt to understand the complexities of GDPR in practice.
With so much to think about and so much to do, it may be tempting to push this responsibility towards your marketing, communications, IT, and even HR departments. You may even be tempted to ignore it altogether. However, the GDPR will impact every department that engages with and processes personal data on behalf of your organisation, and as of 25th of May 2018, there will be no option to ‘opt out’ of GDPR.
None-the-less, with just weeks to go, many organisations remain worryingly under-prepared – overwhelmed by the jargon and unsure of where to start. If this resonates with you, you may want to visit our first blog in this series, GDPR Summary: When, What and Why? to get some insight on why GDPR matters for your business.
For those that are currently preparing or about to get started, here’s our GDPR checklist, highlighting some of the key things to consider right now to get you on track to being ‘GDPR ready’.
Make sure everyone is in the know about GDPR
Ensuring that all the key people within your organisation are aware that GDPR is coming and how the changes will impact your day-to-day business is an essential first step. Involving employees at all levels in your plans and openly communicating the changes that you are making in response to the GDPR will help to get buy-in and commitment to handle personal data in line with the GDPR.
At this stage, don’t forget about the external parties that may be handling personal data on your behalf. From your PR agency to your print suppliers and events companies, if personal data is involved, these external parties (or ‘processors’ as they are known under the GDPR) also need to be part of your planning.
Understand what personal data means in your business
Under the GDPR, personal data is ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.’
Essentially, if an individual can be identified in any way through the information you process, it will be subject to the GDPR. Despite some uncertainty over how and if the GDPR will apply to personal data in a professional capacity, according to the ICO, the GDPR will also apply to business-to-business personal data processing.
With that said, applying the ‘rules’ of the GDPR when processing any type of personal data is the best approach to be sure that you are within the law and to reduce the risk of any data breaches.
If you are still unsure of what constitutes as personal data within your business and how the GDPR applies to you, you can explore the ICO’s ‘Getting ready for the GDPR resources’ page with checklists, FAQs and advice on all things GDPR related.
Consider appointing a designated GDPR lead
As you begin the process of preparing your business for the GDPR changes, you may want to consider appointing a steering group and designated individuals to take on the role of data protection expert within your organisation.
A designated point of contact for the wider business will be useful for employees and suppliers to obtain more information on your specific data protection policies and processes, in addition to reporting any risk of non-compliance or an actual data breach.
If you are a public authority, or if you carry out certain types of processing activities, you may need to formally appoint a Data Protection Officer (DPO) under the GDPR. For all other companies, appointing this role is voluntary – but taking the step of appointing a DPO demonstrates a level of commitment to good data protection practice.
Either way, it is important to plan for how your organisation will operate under the GDPR in practice, as organisations found in breach of GDPR could face fines of up to 4% of annual global turnover or €20 million – whichever is greater – for organisations found in breach of GDPR.
Map your data and address the gaps
Undertaking a data audit and documenting any personal data that you process will provide a complete understanding of what you currently hold within your organisation.
This data audit will help to identify any gaps in your personal data processes that need to be addressed. Mapping this data from the point it was obtained will also help you to respond to personal data requests from individuals under the GDPR, and to manage any data breaches swiftly and responsibly for the ICO.
Under the GDPR, all organisations are required to document personal data to a certain extent. However, a more formal process for this will be required if you are an organisation with 250 or more employees. The ICO website outlines the formal requirements for documenting personal data, including when this is mandatory.
To refresh or remove? That is the question
Under the GDPR, you must have a lawful basis for processing this personal data. If your lawful basis is ‘consent’, individuals will now have greater rights under the GDPR to withdraw their consent at any time.
All individuals will have enhanced rights to ask for a copy of the personal information that is held about them (known as the “right to subject access” and individuals can request that their data is deleted (also known as the “right to be forgotten”).
This will be challenging to respond to promptly and fully if you are unsure about the personal data you hold, how this data was obtained, and how this data is being used by your organisation.
One option to consider is taking the ‘Wetherspoons approach’ and deleting all the personal data that you hold on customers and clients, and then start again. However, this is rather drastic, and most of this personal data may already be compliant.
A simpler approach is to plan for and undertake a personal data audit to identify gaps in your processes. Once you have done this, you can assess how much time, action and investment is needed to ensure compliance. You can then assess the cost-benefit of refreshing your data or removing it completely and starting again.
Review your personal data protection policies and processes
Transitioning your organisation to become GDPR compliant will no doubt require some changes to your current data protection policies. You may also need to review and update your current processes regarding consent and privacy notices.
Where you are relying on consent to process personal data, if your data processes currently fall short of the GDPR standards for consent, you may want to consider sending a ‘re-permission’ or ‘re-consent’ email to your databases to cleanse this data.
To give control to the individual, you can offer the option to refresh preferences, in addition to the option to ‘unsubscribe’ from your database at any time.
When the GDPR is in force, consent will require a positive opt-in, meaning that the use of pre-ticked boxes or any other method of default consent will not be considered acceptable. Being clear and concise with your consent terms and how you will process personal data is an absolute must under the GDPR.
Furthermore, you also need to be sure that you are re-engaging with people who want to be contacted. If you try to have another go at winning back your ‘unsubscribes’ with this approach, there’s a good chance you’ll be in breach of the GDPR.
Taking a more positive view, the need to re-consent is also a good opportunity to show some creativity and re-engage with your existing subscribers. You can offer an incentive to respond, such as a prize draw opportunity or some new preference options. This will give your customers more control, whilst also helping you to improve engagement with your customers with more relevant communications going forward.
A prime example of a creative approach in this context is the GDPR campaign created by Manchester United FC. The football club issued an easy to understand animated video to explain how personal data is being collected and processed with some incentives to re-consent to continue receiving marketing communications from the club.
If you decide to contact your database to re-consent in any way, be sure that you are not contacting any unsubscribers who have already specifically informed you that they do not want to be contacted for marketing communications. Doing this will most definitely be a breach of GDPR and current data protection laws, as the airline Flybe and the carmaker Honda Motor Europe found out following an ICO ruling in 2017.
Don’t forget about crisis and response planning
In the same way that organisations will draft holding statements and prepare for a potential crisis, preparing an adequate response plan for a data breach, both in terms of the legal steps required under the GDPR and the steps you need to take to manage concerned customers and the media, is essential to do.
Talk to your PR agency to develop a plan and prepare for potential breaches. This might include media training for key spokespeople, developing a customer care plan to support individuals who might be affected, and preparing holding statements in advance to manage media enquires while you focus on dealing with the requirements of the ICO.
Ensuring that this response plan is clear and available to your employees is also good to do. This will enable you to respond to a personal data breach and exercise damage control without delay, with every individual taking responsibility for GDPR compliance and reporting.
GDPR isn’t just about customer relationships
When it comes to data protection law and processing the personal data of individuals, good practice and a commitment to full compliance with the law is everyone’s responsibility.
Updating or putting in place new contractual arrangements with external suppliers and business partners to govern how you will use personal data will help to demonstrate compliance and mitigate any potential issues with processing personal data beyond your organisation. This might include electronic mailshots, managing your website data processing, or printing personalised invitations for an event.
This step is key for the organisation (‘data controller’) as well as the supplier (‘data processor’), as both will have responsibility to be GDPR compliant when sharing data with one another.
In addition to customers and external facing channels, don’t forget about the individuals inside your own organisation. Communicating new data protection policies and GDPR specific notices internally with your employees is vital to ensure that every employee is aware of what the GDPR is, what it means for your business, and what steps you are taking to ensure that you are processing personal data responsibly.
With that all said, emphasising compliance with GDPR across every part of your business and making a robust plan to prepare for the changes to current data protection law cannot be underestimated. At the very least, taking these basic steps to prepare your organisation will help you to start your GDPR journey and ensure that you have the necessary processes in place for continued compliance.
Planning for GDPR Compliance
As the saying goes, not having a plan is planning to fail and you really can’t afford to fail when it comes to responsible management of the personal data of others.
In our final blog on GDPR, we will look at the potential opportunities that the GDPR presents and how improving your personal data processes can deliver a positive message about your brand and your business. Stay tuned!