GDPR initially came into force on 25th May 2018, but there was no sign of companies being ready for it in the preceding months. Research in late 2016 by the Chartered Institute of Marketing found that 41% of marketers were unsure about best practices or laws surrounding the handling of consumers’ personal data. Regardless, the EU wanted to make businesses accountable for the way they handled this data, giving individuals more say over how their details are used.
There’s no question that GDPR was overdue since previous regulations were based on a document dating back to 1980, which was last updated in the mid-1990s. In two decades, the way people interact and live their lives has changed beyond recognition. Prodigious use of smartphones and social media has created a gold mine of personal data for businesses to tap into. Emerging web technologies like AI and virtual reality are set to reveal more about who we are.
Run-up to May 25th 2018
Complying with GDPR is a serious matter. Failure to do so invites huge fines of up to €20 million or 4% of global turnover, depending on the infringement. So what was it that companies had to do by May 25th 2018; the GDPR D-Day?
From the consumer end, the most visible change after GDPR was an increase in pop-up privacy policies and cookie consent forms. As frustrating as that might have been at the front end, there was a whole lot more to think about at the back end. Some marketers focused too much on their websites, leaving themselves exposed to GDPR violations by what they weren’t doing in the background.
Key Compliance Points for marketers
Some of the key points of GDPR compliance include:
- Personal data breaches; must be notified to end users and regulators within 72 hours of being identified. A register should be kept by companies to record all data breaches.
- Subject access request (SAR); upon request by end users, companies must provide details on the personal information being stored and how it is used. Electronically requested data can be delivered to the subject in a commonly used electronic form unless requested otherwise.
- Implement email preference centres: GDPR prevents the previously common practice of misleading opt-ins (e.g. using double-negative language alongside checkboxes). Companies must make it easy to unsubscribe from emails and newsletters, though this can present an opportunity to offer more tailored content or less frequent communications through preference centres.
- Data portability; compliant companies, must supply personal data to other data-users upon request by the end user.
- Consent; clear and explicit consent must be given before personal data can be processed. The end-user has the right to withdraw consent at any time.
- Privacy by design; organisational and technical infrastructure installed in companies must ensure data privacy and protection by default.
- Right to be forgotten; end users have the right to have all personal data erased and taken out of third-party circulation.
Companies also have to train employees in data protection and make them aware of their responsibilities. Businesses involved in prolific processing of personal data must employ a data protection officer (DPO) to oversee GDPR compliance.
Data Processing Agreements (DPAs)
A vital component of GDPR and one that has to be entered into by all parties is the data processing agreement (DPA). What is this? In a DPA, the “controller” is the person or business that determines the purpose of personal data and how it is to be processed. The “processor” is a third party who stores data on independent servers and/or processes it.
The GDPR made third-party processors more accountable so they couldn’t shirk responsibility for data breaches as was previously possible. A strict set of regulations now governs the relationship between these two parties. Controllers must enter into a written agreement with processors, who become equally liable for all stored and processed data under GDPR and can only act under the controller’s instructions.
Problems with GDPR Compliance
New EU regulations are one thing, but compliance is another. By July of 2018, only 20% of companies believed themselves to be GDPR compliant. Fast-forward to late 2018, and industry experts still think many businesses are out of line with GDPR.
One potential hurdle to GDPR compliance is “data sprawl”, which describes the fragmentation of data (both corporate and personal) across many files, archives, analytical platforms, data silos, locations and management systems. For many companies, this problem stems from before GDPR and, unsurprisingly, continues beyond it.
The problem of data sprawl is a challenging one for IT teams, who might have to trace and clean up “data swamps,” and create a centralised data platform that is easily accessible to all employees. Controlling data is in the best interests of companies concerning their business, as well, since it establishes trust and shows clients that their privacy is taken seriously.
What Else Can Be Done out of your website?
For many companies, complying with GDPR is no picnic. Aside from the fact that data might be spread far and wide, there are many in-house points to attend to. It requires excellent communication and team-work. What’s more, it needs constant attention; a company can fall out of compliance if it’s not careful. GDPR compliance is an ongoing process.
One way a company can get organised and eradicate mistakes is with purpose-designed software. For example, GDPR365 is a full-featured programme that helps with all aspects of GDPR compliance, including data risk assessments, built-in GDPR guidance, data-sharing contracts with other controllers, subject access management, managing data shared with external processors, data breach management and compliance assessment.
Online marketing tools such as chatbots, which are powered by AI, also have to comply with GDPR, so businesses still have to provide a clear consent form before using them to collect data. This data has to be accessible by the user, too, and can’t be used for covert distribution to other parties. A range of GDPR-friendly website plugins is available to marketers (e.g. online forms and GDPR compliance aids for controllers, processors or DPOs).
A Complete Solution and New Mindset
Companies and marketers that didn’t know it before will know by now; complying with GDPR is about much more than tweaking the front end of a website and keeping up appearances. It needs a whole new approach to the way personal data is used, stored and distributed. Those that get on board with it and are passionate about customer care will reap the rewards.