Create a GDPR Strategy
Published by: Albert Gibosse
The GDPR builds on the DPD, however, there are a number of important changes in areas such as consent, individual’s rights, internal procedures including updating legal and security documentation, supervisory authorities and reporting obligations, territorial scope, accountability and penalties.
The first change is in the area of consent
Whenever a data subject (the customer) is about to submit their personal information the data controller (the company collecting the data from the customer)has must ensure that the data subject (the individual who owns the data) has given their consent.
The GDPR also strengthens the standard for disclosures when obtaining consent, as it needs to be “ freely given, specific, informed and unambiguous ,” with controllers using “ clear and plain ” legal language that is “ clearly distinguishable from other matters ”.
Controllers are also required to provide evidence that their processes are compliant and followed in each case.
Under the DPD, consent could be inferred from an action or inaction in circumstances where the action or inaction clearly signified consent. Thus, the Directive left open the possibility of “opt-out” mechanism. However that has changed under the GDPR which requires the data subject to signal agreement by ” a statement or a clear affirmative action “.
The second change includes further protection for Individual’s Rights
Data subjects will now have two new rights defined under GDPR that directly impact their individual rights.
These new rights are:
– a “right to be forgotten” that requires controllers to alert downstream recipients of deletion requests
– a “right to data portability” that allows data subjects to demand a copy of their data in a common format.
These two rights now make it easier for users to request that any information on them that is stored be deleted and/or information that has been collected should be shared with them.
Likewise, the right of a data subject to access their personal data an organization holds on them has also been enhanced under the GDPR.
Moreover, and in most cases, organizations cannot charge for processing an access request, if they cannot demonstrate that the cost will be excessive. The timescale for processing an access request has also dropped significantly from the current 40 day period. In certain cases, organizations may refuse to grant an access request, for example where the request is deemed rather unfounded or
excessive. However, organisations will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.
With regard to trust between individuals and organizations, the right to access one’s data is an important piece.
The third change addresses Internal Procedures
Ensuring GDPR compliance entails that organizations now must review their internal procedures and update their legal and security documentation and procedures, as well as apply privacy best practices internally.
Privacy by Design
Privacy by Design is a new concept introduced by the GDPR that stipulates that, “when new technology is developed, it will have to be built with GDPR in mind, and to ensure that it has been build this way, an organization will have to perform a Data Privacy Impact Assessment. “
This ensures new technologies are designed with privacy in mind from day one, and not as an addendum.
Data Privacy Officer
GDPR requires many businesses to hire a Data Privacy Officer to help oversee these compliance efforts, including updating documentation such as privacy statements and notices, security documents and internal data protection and retention policies.
Because the GDPR is about transparency and building trust with your contacts, both ‘controllers’ and ‘processors’ will need to ensure their documentation is compliant.
Controllers are those organizations that collect personal data directly from data subjects for their own use, for example a company collecting personal data from it’s customers to market to them.
Processors are the third-party organizations that process this data on behalf of the Controller. Processors don’t collect data on the data subject and have no control over it. Instead they process the data in accordance with the controller’s instructions.
For example, if you use a third party software system for email, web hosting, the entity that owns that software will be the processor of the data you input or store into their systems.
The fourth change with GDPR is around it now being the One-Stop-Shop
The GDPR is working toward making your life easier with its “one stop shop” provision that allows organizations with offices in multiple EU countries to liaise with a single “lead authority” that is acting as a central point of enforcement
rather than dealing with multiple supervisory authorities in different EU Member States which would be time consuming.
A new provision requires controllers, the organizations that collect and control the data, to report a breach within 72 hours of learning of it.
Territorial Scope is also a change with GDPR
Whether or not you’re based outside of the EU, but if you market your products and/or services to people in the EU, or if you monitor the behavior of people in the EU, the GDPR applies to you.
Accountability has also changed with GDPR
The GDPR now requires companies to be able to demonstrate their compliance. This includes proving that staff have been trained, and that appropriate technical and administrative measures have been taken to ensure and demonstrate compliance.
For non-compliance, the GDPR introduces fines of up to €20 million or 4% of a company’s global annual revenue (whichever is greater) that is not insignificant.
This raises the following questions:
– What does this mean for the marketing industry?
– How does the GDPR help you?
Creating a GDPR Strategy will help your business build better relationships and help you grow.
Although the GDPR brings many new obligations and responsibilities, it also provides you with the opportunity to continue to grow your business while cultivating trust with your contacts by improving transparency and accountability with regard to how you treat their personal data.
Three key opportunities that will help you boost your inbound efforts
- The first is treating people’s attention with respect.
GDPR holds all inbound professionals to a higher standard and focuses on providing more value to customers. This means that you must focus on attracting the right customers and earn the right to speak to them.
As attention is a valuable commodity, the GDPR requires that all inbound professionals be more deliberate with the type of attention they seek. Therefore, GDPR makes us all more inbound.
- The second is for you to grow your business and build trust with your customer is being transparent.
In an inbound world, transparency is key. Today, few people see the benefits of sharing data, but they often do because they want to use a service or product.
Companies that collect data will become more transparent and they will communicate and provide value to the customer. With that, communication and transparency around data collection will lead to better understanding about why people should share data.
- Lastly, as the GDPR raises the bar for everyone, all strategies must include GDPR-compliant consent mechanisms built in.
This means innovation and continuous in inbound marketing are imperative.
Compliance with the GDPR will foster more creative and thoughtful marketing.
TO RECEIVE PROFESSIONAL ASSISTANCE WITH YOUR GDPR STRATEGY, PLEASE SUBMIT THIS CONSENT FORM: