In our previous blog, under the terms of GDPR, all organisations that offer services or products to customers who are EU citizens are mandated to look after their personal data. GDPR defines the lawful grounds for data processing:
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
We believe that there is a lot of hype, confusion and frankly misinformation out there. GDPR compliance may seem a daunting task, but lots of the scare stories are not true, and we suggest a 5 point GDPR plan to give your business the best chance of GDPR compliance and you can find more information at the Information Commission Office’s website
1. Nominate a Data Protection Officer
A Data Protection Officer (DPO) is the individual within your organisation who is responsible for monitoring compliance to GDPR. This could be an existing employee within your business, a new hire or it can be outsourced. The reality is that unless your business is processing large quantities of personal data, an existing employee, suitably trained, would be satisfactory.
2. Do a Data Audit
Audit all data use within your business and identify all of your data processors. Classify them as first and third-party data processors and for each data processor detail:
- What are you using the data for?
- Where is the data being stored?
- Do you still need the data?
Check the respective privacy policies of all your identified third-party data processors and ascertain that they are GDPR compliant; the ones based in the US should be Privacy Shield compliant. If they are non-compliant contact them, consider replacing them with a similar provider who is compliant.
Remember, under GDPR, the data is your liability, so unless you really need to keep the data you should consider deleting it.
3. Outbound Marketing Risk Assessment – Legitimate Interest
Organisations wishing to conduct outbound marketing campaigns such as email or mailshots may find gathering consent extremely difficult, just from a logistical perspective. In this instance businesses should conduct a “Legitimate Interest Assessment”. This can be used to demonstrate that the processing is necessary.
This assessment includes a “Balancing Test” to establish whether your business interests outweigh that of the data subject or not.
Although this might seem to weigh against having a legitimate interest, this is a subjective test and can be done by your Data Protection Officer. The assessment as to whether a data subject would have a legitimate interest in your products/services needs to be formally documented to prove to relevant authorities that a subject’s data rights had been properly considered.
5. Identify any data weaknesses in the system
During the audit, any data risks associated with your website will become apparent. These might be third party data processors, forms on ‘contact us’ pages, contact forms on landing pages, newsletter sign up forms or pop-ups. Consider how these data gathering processes might affect an individual’s privacy and tighten up the process. This might be as simple as adding a tick box to confirm consent.
In Summary and Conclusion
GDPR, with its eye-watering fines, might appear to be a sledgehammer to crack a nut. However, it’s worth considering the motivation behind GDPR. GDPR’s key objective is to protect individuals’ data being misused.
Sadly, GDPR will not stop spammers, however, it does mean that legitimate businesses with a genuine need to hold and process data in order to communicate with their customers will need to do it responsibly.
GDPR will help reduce unsolicited and badly managed digital marketing, and businesses who can prove they have a GDPR plan and have taken all the necessary steps to safeguard stored and processed data that can be attributed to an individual should have nothing to fear.
Please note… whilst we’re ready for GDPR, and are confident it’s a good thing for marketers and consumers alike, we’re not lawyers and this blog does not constitute legal advice. The ICO continues to produce GDPR guidance so keep an eye on their webpage for updates.