With the launch of the General Data Protection Regulation (GDPR) on May 25th, 2018, the pressure is on for organizations that either are within the European Union (EU) or are offering goods/services to individuals within the EU. It is important to note that GDPR, unlike it’s Canadian counterpart CASL, is based on digital privacy and data protection where CASL was designed to help mitigate email spam. This creates a deeper level of diligence for organizations.

GDPR covers four areas of data:

  1. Permission – receiving permission to communicate and to use, store and process individual data
  2. Access – who can use and access the data as well as the “right to be forgotten”
  3. Focus – legally justify the processing of the data you collect
  4. Protection – alert individuals when there is a breach and have protocols in place

It is important to note that this is more than a Marketing concern. GDPR impacts the entire organization. The legal team should be heavily involved in determining steps of protection and help guide the actions of the IT and database teams, Marketing, and Public Relations especially. One of the first questions to ask is “Who is our Data Protection Officer (DPO)?” Assembling a cross-functional team to tackle the various areas of compliance is useful as well.

The Information Commission’s Office (ICO), who is responsible for administering and enforcing GDPR, has released information for organizations to help get ready. You can find a checklist and “12 steps to take now” on their website here. The 12 Steps are certainly a good place to start and are listed here for your convenience:

  1. Awareness among decision makers and key people in your organization
  2. Document what personal data you hold, where it came from, and who you share it with.
  3. Review privacy notices and plan for any necessary changes.
  4. Audit procedures to ensure they cover all individual rights concerning data.
  5. Update procedures for handling access requests.
  6. Identify the lawful basis for processing data and include that in your privacy statement.
  7. Review how you seek, record and manage consent.
  8. Determine if you need systems to handle parental or guardian consent for children.
  9. Evaluate procedures for data breaches.
  10. Familiarize yourself with Data Protection by Design and Data Protection Impact Assessments.
  11. Designate someone to take on the role of a data protection officer or create a specific position for that role.
  12. If your organization operates in more than one EU member state, determine your lead data protection supervisory authority.

For marketers to be able to demonstrate how their organization meets the lawful conditions and avoid fines, they need to:

  • Build in privacy settings into their digital products and websites.
  • Regularly conduct privacy impact assessments
  • Strengthen how they seek permission to use data.
  • Document how they use personal data.
  • Improve the way they communicate data breaches.

Of particular importance is how digital interactions from individuals are handled. Having a more robust Marketing Automation Platform (MAP) will assist with this effort. Creating a program specific to GDPR in a MAP that monitors and tracks opt-in is a good first step towards compliance. This program should gather three pieces of information upon opt-in: what was told – standard opt in language; when the recipient consented as a time date stamp; and, how the subject consented, for example by phone or through a web form. Both Legal and the DPO should sign off on the language used to ensure compliance in verbiage. Separate GDPR fields should also be created within both the MAP and the CRM to track the who, how, and when there was opt-in.