GDPR – 12 months to go, 12 things to think about (Part 2 of 4)

In Part 1, we covered raising awareness, data audits and privacy notices.

4.    Individuals’ Rights

Just ‘getting ready’ for GDPR is not going to be good enough because you may also have to prove to the regulator that you are ready for GDPR. One critical proof point will be the decisions you make in getting ready for GDPR, as well as what you will do going forward after its implementation. Get in the habit now of documenting all of your decisions and the deliberations that went into them (more on this under the Protection by Design section). You will also have clearly defined and documented policies and procedures to comply with GDPR. These cannot be the kind of documents that are written and then live in a cupboard just in case something goes wrong, but rather they need to be distributed to staff in a useful format with comparable training so that the processes become habit within your organisation.

One area that is very well suited to this is protecting individuals’ rights. Most of the rights under GDPR are not that different than under the DPA, but now is a good time to ensure that you have your documentation in order. It is also a good time to ensure that your procedures will be compliant around things like correcting data and subject access requests.

5.    Subject Access Requests

While we are on the topic of Subject Access requests, these are changing under GDPR. First, the down side; you will no longer be able to charge for these and you will have to reply within 30 rather than 40 days. You will also have to provide some metadata along with the data subject’s own data, such as your data retention periods and many of the other things covered under the notices provision.

The good news is that you can charge for or refuse excessive requests (too frequent) and you can ask the data subject to specify the data they are looking for if you process large amounts of data. You will also be able to provide the data electronically in many cases.

6.    Legal Basis

Under the GDPR, the legal basis for processing data is all-important because individuals’ rights can change depending on the legal basis you determine for processing the data. It will be important for businesses to balance the requirements of consent and the legitimate interests that the GDPR provides for. The other legal basis that many email marketers will rely on is processing the data with the subject’s consent.

That puts us half way through the twelve things you should be thinking about to prepare for GDPR. Check back soon for the next two installments.

Editor’s note: The materials and information above is not intended to convey or constitute legal advice. You should seek your own advice specific to your business’ requirements.

The post GDPR – 12 months to go, 12 things to think about (Part 2 of 4) appeared first on The Email Marketing Blog.

Reblogged 2 weeks ago from blog.dotmailer.com

GDPR – 12 months to go, 12 things to think about (Part 1 of 4)

So, here we are. There are less than 12 months to go to the implementation date of the new General Data Protection Regulations (GDPR) on 25th May 2018.

It would be great to say that all UK businesses are well on their way to being ready, but data from the DMA released at an event this morning tells a different story.

Marketers are feeling less confident about GDPR than they did in February when 68% of businesses said they were ‘on course’ or ‘ahead’ of plans to be GDPR compliant by May 2018. Since that survey, the ICO and the Article 29 Working Party have issued both guidance and discussion documents bringing businesses greater clarity around what GDPR compliance will entail. This greater clarity has caused respondents to reassess their positions:

  • Only 55% of companies feel they are now ‘on course’ or ‘ahead’ of plans to meet the May 2018 deadline.
  • Marketers perception of their knowledge as ‘good’ rather than ‘basic’ has slipped from 66% to 59%.
  • Marketers sense of being ‘extremely’ or ‘somewhat’ prepared has fallen from 71% to 61%.

What has not changed is marketers’ four big GDPR-related concerns:

  1. Consent
  2. Legacy Data
  3. Implementing a compliant system
  4. Profiling

So what should you be thinking about? Here are 12 things to get you started.

  • Awareness

If you are the only person in your organization that is thinking about GDPR, you could be in big, big trouble. This is a major change to the legislative regime in which your business operates, so not only do key people need to be made aware of the revisions your business will need to make, they also need to be made to care.

As one of the speakers at this morning’s DMA event pointed out, good data practitioners already have the proper use of data on their radar; much of what the GDPR contains could therefore be considered business as usual. By stressing that this data attention is now in favor of helping the business comply with the new GDPR regulations, you may be able to obtain more budget for your undertaking.

While I am sure this is true in some cases, I know that for many companies, GDPR will represent a radical change in how they do business. It is critical that senior management is made of the impact sooner rather than later and that all members of staff are trained and brought up to speed on the changes over the next twelve months.

  1. Data Audit

While you are running your internal PR campaign, you can also be talking to all of the people that have data bases squirrelled away here, there and everywhere; these will need to be examined. Among other things, you need to fully document:

  • What data you hold
  • Where you obtained it
  • When it was acquired
  • How often it is updated
  • All of the places it is stored within your organization
  • How the data flows from one place to another
  • Who has access to the data throughout its journey
  • How it is stored
  • Where it is stored
  • The retention policy for each datum

  1. Privacy Notices

One of the things that will most likely have to change for most UK businesses under GDPR is their privacy notices. Being open, honest and transparent with consumers about what data you are collecting, why, how you will be using it, and how you will take care of it has been a core principle of data protection law since the original Data Protection Act of 1998. What has changed, however, is that the legislators feel that data owners have not always done this to the best of their ability. They have therefore given us more detailed instructions as to what openness, honesty and transparency entails in practice. The Information Commissioner’s Office (ICO) has released a great code of practice on privacy notices.

 

Check back next week to read 4-12 of 12 things to think about before GDPR 2018.

The post GDPR – 12 months to go, 12 things to think about (Part 1 of 4) appeared first on The Email Marketing Blog.

Reblogged 4 weeks ago from blog.dotmailer.com