Are you GDPR Ready?
The GDPR is imminent. It presents a challenge but also an opportunity. The GDPR will enable marketers to reset their priorities, strengthen relationships and build trust. The new legislation is a positive double-edged sword; not only does it put consumers in the driving seat, it will allow marketers to deliver a better customer experience and build brand loyalty.
There is a lot to do to get ready for GDPR compliance. At the very least you’ll need to ascertain if you are a data controller or processor, appoint a Data Protection Officer and create GDPR specific policies and procedures. However, if this task seems insurmountable, think again. Whilst the waters may still look a little muddy there is help and support available.
The DMA and ICO are keen for companies to work with them to create the policies and procedures required for GDPR compliance. Both organisations will offer support and advice, and, from experience, this is worth accessing. Not least because the ICO states that if an organisation has put in place processes to demonstrate GDPR compliance, this will be taken into account by the ICO should regulatory action be required.
The GDPR Accountability Principle
Elizabeth Denham, UK Information Commissioner, recommends organisations should be focusing on the GDPR accountability principle. This principle requires organisations to be able to show evidence for GDPR compliance and explain why they took a particular course of action. Denham states: “We pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR … Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”
Still Unclear As To What To Do Next?
The ICO recently spelt out what organisations should be doing now to demonstrate effective accountability:
Organisational commitment – preparation and compliance must be cross-organisational, starting with a commitment at board level. There needs to be a culture of transparency and accountability as to how you use personal data. We must recognise that the public has a right to know what’s happening with their information.
Understand the information you have – document what personal data you hold, where it came from and who you share it with. Review contracts with third party processors to ensure they’re fit for GDPR.
Implement accountability measures – appoint a data protection officer, consider lawful bases, review privacy notices, design and test a data breach incident procedure and assess what new projects could need a Data Protection Impact Assessment.
Ensure appropriate security – you’ll need continual rigour in identifying and taking appropriate steps to address security vulnerabilities and cyber risks.
Train Staff – staff are your best defence and greatest potential weakness – regular training is a must.
By creating the documents mentioned, and following the ICO’s advice, you will be well on the way to adhering to the list of GDPR accountability ‘must haves’.
GDPR – Revolution or Evolution?
Clarity is coming but confusion still reigns to an extent. What is clear is that GDPR is not a revolution. In many areas it simply builds on, or emphasises certain aspects of, existing data protection law. Proactive organisations that put rigorous processes in place to demonstrate GDPR compliance need not have sleepless nights.
Denham acknowledges that marketers are suffering frustrations. She agrees that parts of the GDPR are ambiguous and clear guidance has not always been forthcoming from the ICO and Article 29 Working Party. But this is no excuse for inaction. Denham reiterates that the ICO is a pragmatic regulator and is aware of the real world of business risk and cost. But this doesn’t negate the need to act, now. What is crucial is being able to demonstrate that you have the appropriate systems in place for compliance in the new GDPR world.
Are you GDPR Ready?
If you’ve not already acted, now is the time. Procrastination could be unhealthy for your business.
If you’re still seeking clarity on exactly how GDPR will affect your business both the DMA and the ICO are there to help you. There are fundamental differences in the way B2B marketing will be regulated under GDPR compared with B2C, so seeking clarity is essential.