If you missed my previous blog on the GDPR and what it is, you can catch up here. This blog however, will shed some more light on preparing for the GDPR, helping them to get on top of the latest regulatory changes, and ensure they are prepared come the 25th May, 2018.
Understanding the definition of ‘personal data’
As outlined in my previous blog, the GDPR applies to both controllers and processors who capture ‘personal data’ from EU residents. To recap, controllers are those who define how and what data is used for – essentially anyone who holds and controls personal data belonging to individuals. For example, government bodies, voluntary organisations, hospitals, and even your Internet Service Provider (ISP).
Processors, on the other hand, process personal data on the controller’s behalf – think payroll companies, accountants, market research companies, surveyors; essentially anyone who processes personal data on the behalf of someone else.
The GDPR further extends the scope of what defines ‘personal data’ to account for changes in technology and the way in which organisations collect information about people, such as cookie and IP tracking.
Personal data, according to the GDPR, means just about every bit of personal information relating to an individual, including: name, location, online identifiers (cookies, IP address), identification number, factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person – so, pretty much everything!
It’s important to take into consideration these changes, as they will undoubtedly influence your business’ marketing activity and how it records data on individuals. This is particularly relevant for marketers as cookies and IP addresses are now identified as ‘personal data’, meaning that in order to market to individuals and track them, you must acquire an individual’s consent and disclose your data collection and processing practices right away. You must state why you are using cookies and IP tracking and what the individual’s information will be used for. Be transparent with your activities and what you’re using data for!
Getting your data in order and appointing a Data Protection Officer
Sort out your data!
First and foremost, ensure you set aside some time to get your whole business and Board together to understand what personal data is being managed and/or processed by the business. You need to know where that data is, how it is being managed, and what it is being used for.
Once you know the above, you need to get buy-in from everyone in the business – and this starts by educating everyone on the importance of data governance and how it can improve the business’ data quality. This needs to be driven from the top down (I mean your top Executives!) if it is to be adhered to and digested by everyone in the business. Ensuring everyone is aware of where data is captured and how it is being used will make it easy to develop a strategy for GDPR compliance.
Appoint a DPO
To manage your business’ data more effectively, you should appoint a Data Protection Officer (DPO) to oversee your business data processing and data management activities. The DPO can be someone from within your business who has a comprehensive understanding of the business’ data management, or you can contract out the role of DPO externally – the choice is yours. However, the DPO must have professional experience and knowledge of data protection law, relevant to the level of processing your business carries out. Essentially, if you process basic categories of data such as age or gender, the DPO must know the legal requirements the business must adhere to in order to process that data.
As per the GDPR regulations, you must appoint a DPO if you:
- are a public authority;
- carry out large scale systematic monitoring of individuals (online behaviour tracking for example); or
- carry out large scale processing of special categories of data (racial or ethnic origin, political opinions, religious beliefs, genetic data… it goes on!) or data relating to criminal convictions and offences.
If your business does not meet any of the above requirements, a DPO is not mandatory, but I would suggest you appoint one anyway, either internally or externally, as it will ensure your business has the means to meet its GDPR compliance obligations.
Consent and cookies, double opt-in and requalifying lists
As I stated in my previous blog, the GDPR requires you to obtain explicit consent from those you market to – individuals must make an ‘affirmative action’ (such as ticking a box or pressing “accept”) to signal their consent to being marketed to. In addition, you must inform individuals about how their data is going to be used and/or protected by your business.
And, the GDPR states that cookies are personal data.
Next, double opt-in.
With single opt-in, individuals fill out a form on your website and they are immediately added to your business’ mailing list and CRM. Even if information is invalid or contains a typo, it’s instantly added. Double opt-in however, is a two-step verification process, where individuals who fill out a form on your website are then sent a confirmation email before being added. This email asks the recipient to confirm they want to receive email communication from you – if yes, the recipient clicks a confirmation button and is then taken to the subsequent thank you page. With double opt-in enabled, you can not only develop more qualified lists(people actually interested in hearing from your business), but also get clear, unambiguous consent from your new contacts – meaning you meet the requirements of the GDPR.
Lastly, requalifying your lists.
Under the GDPR, your existing contact database may need to be requalified. If you have been marketing to individuals without their explicit consent, i.e. they have not ticked a box or consented to anything, you will be breaking the law come 25th May 2018.
On that basis, a requalification and double opt-in campaign needs to be deployed across your current mailing lists if you have not been providing options for consent. A double opt-in campaign will allow you to obtain renewed (or new) consent from those you market to, and remove those that do not provide their consent. This may result in your mailing lists becoming smaller, but you will have achieved four incredibly important things:
- A qualified list of people absolutely interested in hearing from your business;
- Obtained clear, unambiguous consent from your contacts;
- Created a trail of consent, thereby satisfying your legal requirements for the GDPR;
- Avoided the massive fines that come with breaking the rules of the GDPR.
What data are you capturing?
From an agency perspective, we use HubSpot – an all-in-one marketing and sales platform that provides all the necessary tools and functionalities you need to ensure GDPR compliance. So, if you are a HubSpot user and struggling to ensure your business’ marketing activities are GDPR compliant, check out this free eBook that provides an in-depth analysis of the GDPR and what it means for your business.
Tip #30: Getting your business’ data in order will undoubtedly take some time. If you have large mailing lists, full of people who have and have not provided their consent to your business’ marketing communications, expect those lists to thin out significantly. However, by following the tips outlined in this blog, you will develop GDPR-compliant lists and activities and be thoroughly prepared for the GDPR come next year.
If you'd like to receive the latest 'All that PR & Marketing Bollox...Explained!' blogs straight to your inbox every week, you can subscribe below: