As you may have heard, May 25th, 2018 will mark the day that the new General Data Protection Regulations (GDPR) will take effect throughout the European Union. If you are an organisation that works in or offers services within the EU, then read on, because this new legislation may affect how your organisation is handling your customers’ personal data.
Today’s digital operating environment is evolving at a lightning pace, producing more personal data than we’ve ever seen. This means that protecting consumer data is becoming a more complicated task by the day. The predecessor to GDPR, the Data Protection Directive, was created in 1995 to combat an entirely different volume of customer data. Since then, platforms like Facebook and Twitter have revolutionised the way consumers offer their personal data through the web. The GDPR serves to protect individual rights in light of today’s technology and future innovations.
So what will need to change within your organisation? For starters, there are several processes that you might need to add in order to meet compliance standards, such as built-in privacy settings for your digital products and services, routine privacy assessments, updated personal data permission methods, and client communication protocol in the event of a data breach.
To make sure your company is ready for this new age of data protection, and to avoid any unpleasant surprises, these 6 steps should help you ensure that your business complies with the upcoming GDPR.
Step 1: Get to know the advantages of GDPR
Streamlining processes can be a great advantage for businesses in any sector. It eliminates inefficiencies and increases productivity, which has a positive impact on the bottom line. The GDPR will require all companies within the EU to use the same efficient system for handling data, creating coherence and consistency when multiple organisations interact with one another. This new legislation sets a standard of privacy and data protection that benefits both the company and the consumer.
Step 2: Learn the new rules
In order to meet the new criteria of the GDPR, you need to be aware of and understand these changes. Take a few minutes and familiarise yourself with some of the key rules that your company will need to adhere to.
· Criteria for consent: Have you ever read through the entire consent criteria for a company other than your own? Probably not, as these disclaimers are full of legal jargon and make for a time-consuming read.
The new conditions state that consent requests must be clear, easily accessible, written in plain language, and that it is just as easy for a client to withdraw their consent as it is to give consent.
With GDPR, the only legitimate way to collect personal data from your customers is through their clear and voluntary affirmation. Remove the pre-ticked boxes and instead allow the customer to mark for themselves whether or not they wish to share their information with your business. The same applies for Privacy Policies. Gone are the days of lengthy policies full of legal jargon and prove a hassle to the customer. Instead, make your policies clear, readable, and provide a space where the customer can either can confirm or deny their consent.
· The right to object: This rule dictates that customers have the right to choose in which ways their information can or cannot be used. Companies use their customers’ data in all sorts of ways, whether it’s to determine a marketing strategy, subscribe them to company newsletters or form profiles for the intended demographic. Up till now, companies were not required to share with customers how their data was being used. With the new standards imposed by GDPR, this becomes a necessary step.
Communicate with your customers before you use their data, allowing them to opt to make their data available for marketing reasons. Reach out to your customers and give them the choice to receive company emails. Separate subscription lists on your CRM according to what your customers have consented to.
· Protection for children: Under the GDPR, it is forbidden to collect the data of a minor. Children under the age of 16 need parental consent to provide personal information.
· The right to be forgotten: Up to now, companies have focused on obtaining a customer’s information, with little regard for removing this information at a customer’s request. The new guidelines of the GDPR state that customers can elect to have their information deleted entirely from a company’s system. This will mean adapting your CRM to determine which customers might want to exercise their right to perform this action.
· The right to rectification: This stipulation requires that entered data can be altered or corrected. Customers can request confirmation that the data they’ve given to a company is complete and accurate, and opt to make changes where needed. Ensure that your CRM is adapted to make these changes where needed. This change will also require a process to notify your customers when their data has been changed, so both the customer and company can stay up to date on who possess what information.
· The right to portability: This new rule allows customers to receive and transmit their personal data from one controller to another, creating less hassle and added convenience.
Step 3: Review the way you collect and process data
It may be necessary for your company to take a few extra steps when processing customer data under the new GDPR. The idea is that, in addition to providing an enhanced customer experience through data analytics, you must also protect customer data within your company.
Now, instead of marking information as “unusable” within your CRM, that information will need to be deleted entirely. Additionally, regulations will require that you have a legal standing for why you have certain customer data, and how you obtained it. This will deter companies from collecting more information than is absolutely necessary. To perform these process properly, update your CRM to implement these mechanisms automatically, leaving no grey areas when it comes to the protection of your customer data.
Step 4: Get rid of any processes that lack customer consent
As you may have guessed by now, the new priorities of data collection are consent and protection. As of May 25th, 2018, companies can no longer utilise pre-ticked boxes to obtain customer information. Providing consent now requires “clear affirmative action.” You will want to have a huddle with your tech suppliers and web designers to make sure they understand and comply with this and other new GDPR standards. If your company was obtaining most of their data through pre-ticked boxes, you will need to restrategise your marketing techniques.
Step 5: Privacy by design
Although this concept has been around for a while, it will now become a legal requirement for companies to include data protection measures in the original design of their systems. As a part of this, you should only hold the data that is absolutely necessary, and it should only be available to those who absolutely need it for processing. This re-design may feel like a great amount of added work for your programmers, but taking preventative measures to comply with the new GDPR standards will end up saving your company both time and money.
Step 6: Be aware of the consequences for non-compliance
Adherence to new GDPR regulations will have many beneficial implications for customers and companies alike. However, penalties for non-compliance can be severe. Depending on the level of the offense and the factors involved, fines can amount to as much as 4% of annual global turnover or €20 million, depending on which is greater. Determining factors will include the degree of company cooperation, the type of data involved, and whether the offense was intentional or the result of negligence.
You should now have a clearer understanding of the changes you can expect with the new GDPR. In the coming months leading up to the enforcement date, it will be important for your company to follow these steps and make any necessary adjustments to ensure that you are up-to-speed and in compliance with these new regulations.