10 steps that all marketers need to take to act on The GDPR
Four years ago, The European Commission proposed a radical shake-up to the arcane data protection and privacy laws that were failing to protect the interests, rights and freedoms of millions of consumers in the EU that were facing an unprecedented threat in the misuse and misappropriation of their personal data.
With the explosion in use of the web, the Internet of Things, Cloud and mobile computing and all things digital, the EU was one of the most attractive places to do business as it’s the world’s biggest Digital Single Market.
But it was also quickly becoming one of the most unsafe places in the world to share personal data as 'cowboy marketers' looked to make a fast buck and millions of customers were getting spammed with unsolicited emails and offers on an industrial scale.
In response to these challenges and in the wake of the biggest increase in personal data breaches in history, the European Parliament took the brave and historic step last week to adopt the EU General Data Protection Regulation (GDPR), sweeping aside the Directive 95/46/EC and all other out-of-date data protection laws across the EU, including our own Data Protection Act 1998.
At 260 pages in length, with 99 Articles and over 100 pages of explanatory notes known as ‘recitals’, the GDPR is roughly three times the length of the Data Protection Act 1998.
In essence, the GDPR puts the EU citizen in the driving seat with respect to managing the flow of their personal data and imposes a higher standard on Data Controllers as well as Data Processors in an attempt to run the cowboys out of town!
Infringements of the GDPR don’t bear thinking about as they can destroy many promising careers of senior managers – up to 4% of worldwide turnover or €20m, whichever is the greater.
A transition period of up to 24 months has been written into the GDPR and it’s my guess that marketers will witness the biggest shake-up in digital marketing they’re ever like to see in their careers.
Data Protection Authorities (Supervisory Authorities) across the EU and the European Court of Justice are already issuing guidance and adopting the principles of the GDPR, so in many respects it’s misleading to think you’ve plenty of time on your side – you don’t!
And irrespective of 'Brexit', any UK organisation doing business in the EU will need to comply with the GDPR.
The key features of the GDPR
There are many features of the GDPR, to summarise, these are three big ones that affect all marketers:
- Removal of the requirement of the Data Controller to notify or seek approval of personal data processing from the Data Protection Authority (DPA). Although this cuts ‘red tape’ the GDPR actually places a higher duty on organisations to put in place effective procedures and mechanisms focusing more on high risk operations (eg involving new technologies) and carry out a Data Protection Impact Assessment (DPIA) across the whole organisation rather than on a project basis.
- Data Processors (such as cloud service providers) now have direct obligations and this includes implementing technical and organisational measures and notifying the Data Controller without undue delay when there’s a personal data breach which now must be reported to the Supervisory Authority within 72 hours.
- In certain circumstances, both Data Controllers and Data Processors must designate a Data Protection Officer (DPO), the new breed of senior manager that’s independent and although s(he) reports to the highest level of management authority. In reality they are like a ‘mini-regulator’ sitting in the centre of the company. Marketers should seek to keep on the good side of the DPO and particularly if they are regularly and systematically monitoring and processing personal data of customers, clients and supporters as part of on-going marketing activities.
But it’s not at all doom and gloom.
In fact, it’s a MASSIVE MARKETING OPPORTUNITY! Yes, really! The GDPR is about several big ideas including building trust and confidence amongst consumers, providing a greater degree of transparency in how their personal data is being used but it also creates a level playing field for new entrants to come to market and succeed – data portability will make it easier for customers to switch to new services, for example.
As a result, marketers have a golden opportunity to raise their game and win new business by beating the competition and the cowboys!
A recommended strategy for success
These are 10 Steps I recommend that all marketers must seek to do NOW in order to successfully navigate their way through the GDPR transition period.
#1: Carry out a Data Protection Impact Assessment (DPIA).
Quickly undertake an audit of all personal data processing activities carried out now or planned to be carried out in the future. Is this personal data processing being conducted by consent of the Data Subject or under ‘legitimate interest’ that hasn’t been overridden by the interests of the Data Subject? The burden of proof is now on the Data Controller to show evidence of consent, which needs to be unambiguous and for the processing of ‘special’ personal data, such as sensitive financial data, consent must be explicit. Notices in ordinary language, the time period for which consent has been given as well as the purpose for which the personal data can be used all needs to be properly recorded.
Use the transition period intelligently by carrying out re-consenting of existing customers and clients, so that you show you take their data protection seriously.
#2: Check all supplier contracts with Data Processors to ensure they are GDPR compliant
Data Controllers can’t pass the buck when things go wrong and blame the Data Processor as they may have tried to do in the past. They now both share joint and several liability for personal data breaches. The Data Controller entering into long-term commercial arrangements (24 months or more) must check these comply with the GDPR to be on the safe side and also ensure that the Data Processor acts in accordance with the GDPR, otherwise will be liable for a big Administrative fine. This extends to visiting the premises of the Data Processor and ensuring appropriate security measures against physical harm or damage from flooding, for example, are in place.
#3: Check all data protection policies, processes and procedures
The GDPR requires that information provided to the Data Subject is in clear and understandable language and that your policies should be transparent and easily accessible. Assuming that you complied with the provisions under the DPA 1998 doesn’t mean that you will comply with the GDPR. Ensure that you have clear policies in place to prove that you meet the new standards.
#4: Hire yourself a top-flight DPO
Join the queue of financial services organisations that want to get their hands on a top flight DPO - although there’s a significant shortage of DPOs in Europe who can do the job and may command a big pay packet too. So consider executive education and training of a senior manager as a cost-effective option who could become the organisation’s DPO. The caveat here is that they can’t have any conflict of interest and can’t take instructions from the senior management team in the exercise of their duties and responsibilities.
Alternatively hire the services of a freelance DPO, but make sure they have the right credentials to do the job. Under the GDPR, the DPO must maintain their knowledge and experience in order for the organisation to be compliant otherwise it’s another Administrative fine!
#5: Practice the way you’ll deal with a personal data breach when it happens
There’s a saying that ‘practice makes perfect’ and certainly a key task of the DPO is to put in place clear policies and well-practised procedures to ensure that the organisation can react quickly to any personal data breach and notify both the Supervisory Authority, Regulator and Data Subject in time where required. It also helps to ensure that the organisation adopts a risk-based approach to personal data protection and avoids confrontation internally between the DPO and the senior management team when the s*** hits the fan. Data protection awareness training and specialist technical training on a regular basis is mandated as a key responsibility of the DPO under the GDPR.
#6: Become a champion for transformation of culture in your company
This is perhaps one of the hardest things to do and it’s implicit in reading the GDPR that organisations must be seen to behave ethically and appropriately and to do the right thing because it’s the right thing to do. This is about leadership and the Senior Management Team (SMT) must be seen to be taking the lead here, supported by the DPO. The SMT needs to foster a culture of monitoring, reviewing, and assessing data processing procedures with the aim of minimising personal data processing and retention of data and build in safeguards.
#7: Ensure privacy by design
This is a principle of the GDPR and must be embedded into any new personal data processing or financial services product. This needs to be thought about early in the process to enable a structured assessment and systematic validation. Implementing privacy by design can both demonstrate compliance and create sustainable competitive advantage.
#8: Handle cross-border personal data transfers with extreme care!
This is a problematic legal area. With any international personal data transfers, including intra-group transfers, it will be important to check that the Data Controller has a lawful basis for transferring personal data to jurisdictions that are on an ‘approved’ countries list and are deemed to have adequate personal data protection. Getting this wrong could attract a fine of up to 4% of annual worldwide turnover, so the consequences could be severe not just financially but also from a reputation perspective.
#9: Keep your knowledge and skills of using personal data in marketing up-to-date
There’s no shortage of information, knowledge and good courses out there, so make sure that you invest your time to learn more and reap the benefits of becoming a much more valuable marketer.
#10: Treat customers as you would want to be treated yourself
Customers, clients and supporters are real people and deserve to be treated with respect rather than as some incremental sale opportunity. By putting people at the centre of the marketing process, and doing the right thing because it’s the right thing to do, you’ll be around for a lot longer than the cowboy marketers.
Ardi Kolah LLM is founder of
GO DPO®, Co-Programme Director at Henley Business School of the
DPO Programme and Editor-in-Chief of the
Journal of Data Protection and Privacy. He can be contacted at
ardi AT godpo.eu