The deadline for GDPR is looming large and manages to make it into every agenda or AOB session that I attend. While there is a lot to discuss, I can’t help but feel it is going to go one of two ways; all talk, no action or running headlong into poorly planned execution. Both can put a business at risk.
Fail to plan, plan to fail.
Without regurgitating every guide out there, planning is key to success. The number of touch points for even the smallest business can be overwhelming and easy to overlook. Make it someone’s responsibility to review how data comes into the business, who holds it, who processes it, where it’s held and how it’s deleted.
From here an action plan can be built including the changes to data capture, storage, processing and most importantly, detailing all of this in a clear way to your users. From here, you can begin looking at the data you currently have stored and whether it’s usage is compliant with GDPR.
Re-engagement is not a GDPR issue.
The usage of data isn’t solely a GDPR issue, there have been data protection laws long before the new regulations were conceived. The Privacy and Electronic Communication Regulations (PECR) have previously given people rights regarding marketing calls, emails and texts. Even the best-intentioned remarketing strategies could have fallen foul of these rights. Back in August 2016, airline Flybe were hit with a £70,000 fine after they deliberately sent emails to 3.3 million people who had opted-out of marketing emails.
With no justification or acceptance from the users to receive that type of content, Flybe were rightfully fined for emailing users that hadn’t opted-in to marketing materials. Making sure everyone in your database has signed up for the content your sending is important, and emailing those who have either not given or revoked permission is simply not worth the risk.
Take an honest appraisal of the data you hold and ask yourself; Is this up to date? Was this collected in the correct fashion? Do you have a legitimate reason to contact these individuals?
The answers to these questions should offer some scale of value to the data your business holds. Then you can make an educated decision to work with it or delete.
Delete means delete!
Whether you decide to remove the data or a user requests to have their data removed from your system, delete means that it has to be purged. This is no small undertaking as it may exist in an array of databases and systems.
When reviewing our own systems including the Apteve CMS platform, we had to define a process of overwriting data with dummy content to ensure that it would not be restored from a back-up or held deeper in the system to resurface later.
The deadline for GDPR compliance is 25th May 2018. If you haven’t already, you need to take the time to get an understanding of how data moves through your business and review the impact of your actions. This doesn’t just apply to GDPR, but all regulations governing the management and handling of personal user data.