General Data Protection Regulation (GDPR) has been in place over 4 months and so far no organisations have been fined. Data is at the heart of our business and as a Business to Business marketer it is important we ensure our systems and data management remain fully compliant. During this blog we will show you how you can ensure compliance through a few simple steps.
Where do I start?
Firstly, look at your data and categorise into three areas; GDPR applies to “personal data” and “sensitive personal data”, but not to “business data”.
- Personal Data: Any information that allows a person to be directly or indirectly identified, such as names, numbers, location and online data such as emails/usernames.
- Sensitive Personal Data: This mainly covers data surrounding genetics and biometrics.
- Business Data: Data relating to businesses such as name, address and landline is not counted. However personal business email addresses and numbers do count.
How do the new regulations affect marketing?
- Consent. The most notable change is to the “opt-in” process. Long gone are the days where a pre-ticked opt-in box are acceptable. Opt-in must be a separate, individual and “granular” process, singled out from any other terms and conditions. There must also be a clear right to withdraw.
- If you regularly monitor personal data on a large scale, then we would recommend you work closely with a Data Protection Officer.
- The GDPR also requires businesses to report data breaches to all relevant parties within 72 hours of detection.
What can marketers do to ensure compliance?
Firstly review the ways you currently collect, process, retain and remove data. Then review which of the 6 lawful basis for processing are best suited to your data flows – for B2B marketers, this is likely to be ‘consent’ or ‘legitimate interests’. Consent was reviewed earlier but ‘legitimate interest’ allows you to process personal data on the grounds that your organisation is working towards the legitimate interest of the individual – this can include commercial interests. As long as the data processing doesn’t infringe on the rights and freedoms of an individual and you can prove the data subject (individual) in question could be likely to have a legitimate interest in what you’re marketing, you can collect and process their data.
The remaining stages include:
- Documenting your rationale and ensure you pay due consideration to the rights of your data subjects, and that you only process absolutely necessary data.
- Ensuring an ‘opt out’ process for those receiving your communication at all times.
- Considering how long you need to store data for and put in processes to ensure data is stored securely and is removed once you no longer reasonably need it.
Let us know how GDPR is affecting your business – Hello@skyfallservices.com