The GDPR deadline is fast approaching and businesses need to ensure that they’re compliant by the time the new law comes into effect. David Carlson, Head of Technology at Fast Web Media, answers some of the frequently-asked questions and offers advice to businesses in getting started on their journey to GDPR compliance.
The General Data Protection Regulation will impact all European businesses, in particular the way marketing communications are sent to customers and how we look after our data. Failure to comply with the new rules will result in businesses being fined €20m or 4% of their global annual revenue, whichever is the greater amount.
According to Compuware, 77% of retailers don’t have a comprehensive GDPR plan in place and less than half are well versed on the regulation and how it will change the way data is handled. In this article, I will provide clarity on some of the frequently asked questions about GDPR and share my tips to help you and your business get ready for the May 2018 deadline.
What can I do now to ensure my retail business will be GDPR ready?
The General Data Protection Regulation is designed to harmonise the way businesses are storing, archiving and disposing of their data, so a good place to start on the journey to GDPR compliance is with data cleansing. You need to gain a good understanding of what data you hold, how you’re keeping it and how you discard it. There are a few ways to do this – you can either do it yourself in house or there are companies that will help you do it. Once you know what data you have things will start to become a lot easier.
Another key part of becoming compliant is the security of your business. You need to assess any potential holes within the safety of your company and ensure you have the right measures in place to protect your data from any potential breaches. If you don’t have any protection in place, start with anti-virus software or speak to a technology solutions partner. If you’re not protected then you could be facing very large fines.
A key part of GDPR, which is often overlooked, is the updating of policies and procedures. You need to update these to be in line with the new regulation but it’s also a way of proving your business has made the necessary changes in order to become compliant. There are people who can act as your appointed GDPR officer to make this process a lot easier – this is probably more helpful to the SME market.
I’m an online retailer, how will GDPR affect me?
The law will be impacting everyone, but in particular eCommerce businesses as they hold more sensitive information than most other industries. It won’t affect you any more so than it would any other industry; it just means that you will have to be extra vigilant when it comes to the security of your business and protecting your data.
Mobile devices also need to be included in your security plan. Online retailers will use mobile devices on a regular basis. Previously any business data on an employee owned device was the responsibility of the employee, now it’s the responsibility of the company. Protecting mobile devices is often overlooked and is something that you can’t really afford to do now.
We use opt-in marketing; why do I need a second option and what does it mean?
Double opt-in marketing is an additional step added to the subscribing process. Anyone who registers to receive your email correspondence will now have to confirm they do in fact want to register, and they’re not an automated marketing robot. This is done by following a link that is emailed to them after the first opt-in stage. The second stage, clicking the link, confirms the identity of the person registering but it also improves the quality of your data as you have the correct information.
You may also need to gain consent from your existing contacts but this depends on where your data was originally sourced. Anyone who has come to your website or has contacted you directly usually has already given permission for you to use their information and market to them, but, if you have purchased your data from a third party, chances are you don’t have permission. In this case you will need to make sure the people you are contacting are aware you have their data, which you can do by asking for them to give their consent through the double opt-in process.
By making it easier for people to withdraw from my marketing, am I going to lose my database?
The new regulation states that you must make your withdrawal process clear, it needs to be as easy to withdraw consent as it is to give it – this doesn’t necessarily mean you’re going to lose your customers, it just means you’re being more upfront and clear about your processes.
Under the legislation data subjects now also have the right to erasure and the right of access. The right to erasure applies when data is no longer necessary in relation to its original purpose or when the individual withdraws their consent. There are certain restrictions to this that will prevent a person to their right of erasure.
Right of access is the rights that individuals have to obtain certain information, for example, access to the personal data you hold on them, or confirmation that their data is being processed. In this case you must provide a copy of the information free of charge.
We market to a niche audience, how will GDPR affect us?
Regardless of industry, GDPR will have an effect to your business. To begin your journey you will need to define your audience as some businesses will be more affected by the change, for example organisations whose services are intended for children will have new rules and regulations to adhere to.
If your business is aimed at children (classed as a person under the age of 13) you will need to obtain permission from a parent or guardian and prove you have such permission in order to market to these people.
Marketing to children should be treated the same way as you would market to an adult, you still need to make it easy to withdraw consent at any time and you should need to ensure your policies are all written in the appropriate language for children to understand.
Will GDPR affect my existing data?
The regulation will impact the way you market to your existing database but it won’t have a direct impact to that data. The law affects the things that surround your data such as how you’re handling and protecting it.
All business will be impacted by the basics of GDPR and will have to adjust their business policies and processes to the new regulations. By starting now and giving yourself plenty of time to adjust, you can become compliant with minimal disruption to your business. If you’re unsure of where to start, why not speak to a specialist digital agency, such as Fast Web Media, to find out what you should be doing. But beware of companies that say they are fully GDPR compliant, as the details of the new legislation haven’t been fully communicated yet, so being ‘fully compliant’ is currently impossible!
