Don't panic. It's only the GDPR. And a chance to create personalized marketing while complying with EU privacy rules. Are you a marketer or product manager unsure about the GDPR? This post gives you an overview on how to handle data, connect systems and business processes. Let's get started!
Should we be nervous about the GDPR?
No, it's simple: from 25th May 2018 on there will be new rules on data management, data ownership and data storage.
Is it really necessary?
We think so, given the last EU protection regulation was created almost ten years before Facebook was founded. A comprehensive, EU wide regulation will provide positive standards for both companies and customers. Different privacy legislations across 28 countries will be unified and updated.
Are we affected?
Your business will be. Every company controlling or processing data is obliged to meet the 99 GDPR articles. Your company will be accountable for how it protects, accesses, process, stores and documents data.
Are there non-compliance fines?
Yes, either €20 million or 4% of the company’s global turnover – whichever is higher.
Has the definition of Personal Data changed?
It sure has. The GDPR recognizes there is no full anonymity on the internet, therefore all customer data will be classed as personal data, even pseudonym data.
What digital analytic companies are GDPR compliant?
The one responsible for this blog, for instance!
The GDPR in 16 steps
- Make sure the company shareholders realize the GDPR will be the new standard for customer data. Organize an information audit across your company. Privacy is your new mantra! Minimize customer data and limit to only necessary data collection.
- Create an inventory on how personal data is used, kept, requested and accessed. Provide a Secure Sockets Layer when data is saved and establish data warehouse architecture.
- Your company is obliged to hire a full time Data Protection Officer (DPO). You must designate a DPO if you are "a public authority; an organization that carries out the regular and systematic monitoring of individuals on a large scale; or an organization that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.” Read the complete guide by ico here.
- If you already have a Data Protection Officer, he or she should look at the data infrastructure and co-ordinate with IT, product management and marketing. Where is the data kept? When is it imposed? And under which circumstances?
- Establish robust documentation of your data infrastructure. For instance, could you quickly delete a consumer’s personal data if asked? And can you prove it? The GDPR’s “right to be forgotten” requires this.
- Update your privacy notice to explain how personal data is processed.
- Are you remarketing? Imagine someone visits your website for the first time and seconds later sees a personalized online advertisement for your company. If he asks how his data is used, you need to answer fast.
- Adapt your Opt-Ins. Consent forms must meet the GDPR standard. Not only is an opt-in a must but also, people should have no trouble withdrawing their consent.
- However, visitors ignoring your consent form are not opting in. Combat this with additional and mandatory form fields. If you do not have the subscription record, then delete the corresponding subscriber.
- The GDPR was introduced in May 2016, so May 25th 2018 is actually the enforcement date. Get organized now. Don’t leave it until 24th May.
- All your websites must transparently illustrate what your data policy implies and the opt-out method. Your opt-in requires a clear explanation on the data usage of a new customer.
- Where are your servers located? You are more likely to comply with the GDPR if your company’s personal data servers are located in Europe.
- Are you prepared for a personal data breach? Does your company have the resources to investigate a data breach? Are your report standards high enough to compile a complete data overview within a day? Is your PR and marketing team ready for crisis communication?
- Be careful! If there's a leak of non-secured costumer data, you must inform affected customers within three days.
- Stop interrogating your new visitors, subscribers and clients. If you sell computers online, you don't need to know if a new subscriber likes salami pizza. Only ask for what you have a legitimate interest in.
- Look for GDPR compliant service partners. Recommend Webtrekk (if you like us!).
Good luck! Remember, we’re here if you need us.
Dieser Blogpost geht auf konkrete Stellen im Text der EU-DSVGO ein und beleuchtet, was genau sich ädern wird (und was nicht). Jetzt lesen.