Those of you of a certain age will recall the great Y2K scare that gripped the world at the turn of the century. Now, as the European Union’s General Data Protection Regulation (GDPR) takes effect in a little over two weeks, many sources are calling it the “Y2K of B2B Marketing.”
But beyond the hype and fanfare, the GDPR is an opportunity for you to improve the way your organization collects, handles, and uses customer/prospect data.
While the GDPR is widely considered to be the most complex piece of legislation the EU has ever produced, it all boils down to making sure that personal data is kept and used in a transparent manner.
That’s why you should be making the final touches to your GDPR preparations by now. This post rounds up the top-rated resources to help you go over your last-minute GDPR checklist. Keep in mind this article only includes marketing tips. At no point should it be taken as legal advice.
GDPR: Prepare, Don’t Panic
In the late 1990s, people feared that the world’s computer systems (and everything that depended on it) would fail when the calendar turned over into January 1, 2000, due to a glaring vulnerability present in most computer architectures at that time.
In response to dire warnings and predictions on the Y2K bug’s possible impact, businesses and governments across the world reviewed and upgraded their IT infrastructures, collectively spending at least $300 billion (in year 2000 dollars) on Y2K fixes.
The new millennium finally arrived with minimal Y2K-related disruptions, except for a few relatively minor incidents (temporary power outages, disconnected phone lines, etc.) in some scattered places across the globe. It looked like a worldwide catastrophe had been averted.
While still being debated until today, some sources argue that it was the frenzied pace of preparations by companies and governments that saved the world. Others, meanwhile, think the entire Y2K problem had been blown out of proportion, and that organizations that geared up for it were simply overreacting.
But despite these opposing views, businesses that took the step toward Y2K-readiness actually got something more from their efforts than just being spared from potential disaster. The Y2K problem forced companies to sort out and streamline all the various overlapping IT components in their organization. In other words, businesses modernized and strengthened their IT systems by trying to fix the Y2K bug.
The same can be said of the GDPR. If you’ve been following nothing but headlines on the topic, it’s easy to get carried away by all the talk of gloom and doom. In reality, although the implementation date draws closer, the GDPR’s exact implications have yet to be determined—a fact which even the European Commission admits.
It doesn’t really matter whether the GDPR’s anticipated impact on marketing turns out to be spot on or overblown. Working toward GDPR compliance will benefit your organization on so many levels, not only in avoiding the steep penalties associated with violations.
GDPR-readiness actually helps you develop more robust and effective data management processes. By setting standards that ensure your data assets are accurate and in order, the GDPR gets your data in the right shape for gleaning useful information and actionable insights.
That’s on top of other organizational benefits like boosting your cybersecurity posture and protecting your company against data breaches and theft.
This is why preparing for GDPR is a step in the right direction.
Some Last-Minute Resources for Your GDPR To-Do List
With just two more weeks left, most businesses are working round the clock to get everything ready before the May 25 deadline. At the current rate that things are going, however, it’s clear that only a few will actually be able to become GDPR-compliant once the law takes effect.
In fact, recent surveys find that between a third to 60% of companies won’t reach GDPR-readiness on time. Even within EU-member states, only a very small number of businesses think they’re prepared or up to speed with the upcoming regulation.
That’s despite having had a two-year window to prepare for the GDPR and thousands upon thousands of materials dedicated to the topic. The road to GDPR compliance still remains as winding as ever with detours and dead ends along the way. It’s no wonder why 89% of companies worldwide admit they’re still confused with key elements of the new law.
Whatever your level of preparation, the May 25 deadline will soon be arriving. As you wrap up or ramp up compliance measures, you need to make sure you’ve got the essentials all covered.
We’ve hand-picked the top resources (articles, whitepapers, infographics, etc.) from trusted sources to help you go over each step of your GDPR compliance to-do list. These are grouped according to the typical items in a GDPR-readiness checklist as follows:
Understanding the Legislation
By now, you probably have a pretty decent grasp of what the GDPR is all about. The GDPR significantly enhances data privacy protection for anyone in the EU (including both citizens and non-citizens) which the law calls “data subjects”, giving people greater control over their personal data while also increasing the duties and responsibilities of organizations that collect or process personal data.
The new law not only impacts businesses directly operating in the EU but also applies to any non-EU company that targets or tracks any individual residing in the EU. In other words, your company is subject to the GDPR if it processes or handles the personal data of EU citizens or residents.
To understand exactly what responsibilities the GDPR imposes and which types of data it aims to protect, you need to be familiar with the GDPR’s legislation. Here’s a list of resources to help you get acquainted with the letter of the GDPR law:
- The General Data Protection Regulation—Final Text, Neatly Arranged
- Official GDPR FAQs
- EU GDPR Information Portal
- GDPR Compliance Glossary
- EU GDPR: A Pocket Guide [Kindle eBook]
Doing a Data Processing Inventory
The GDPR specifies several reporting requirements, including “records of processing activities” indicated under Article 30. Records of processing activities provide information on how and why personal data is being processed. This report allows you to show regulators your organization is complying with the GDPR.
Unlike traditional data inventory/mapping, a data processing inventory looks at how data moves through each of your business processes, not just account for various data assets or where they’re being stored.
To implement this requirement, you first need to identify and locate all pieces of personal data in your organization and then indicate where they come from, how they’re being processed, and where they’re going.
The following resources offer up some very useful information on carrying out a data processing inventory for GDPR compliance:
- Article 30, GDPR: Records of Processing Activities
- Data inventories under the GDPR [PDF]
- Template for Article 30 Records [XLS]
- How to Meet GDPR Article 30 Requirements
- How to Conduct a Data Inventory
Updating Your Opt-In and Privacy Policies
Under Article 6, the GDPR mentions that data subjects must provide consent to the processing of their personal data before you can legally collect their information. Consent requires a positive opt-in (not pre-ticked boxes or any kind of consent by default).
All your opt-in forms must clearly state why you’re collecting the personal info, how you’re going to store and use it, and what you’re going to send. Your marketing database should contain only contacts who have explicitly and clearly provided their consent.
In addition, the GDPR provides rules on giving privacy notices to data subjects, specifically under Articles 12, 13, and 14. You need to thoroughly review your privacy notices and make sure they’re clear, concise, and easy-to-understand.
Several sources cite that making consent and privacy notices GDPR-compliant can be a little tricky. Here are a few useful guides to ensure you take the proper steps:
- GDPR Consent Guidelines
- GDPR: legal grounds for lawful processing of personal data
- Privacy notices under the EU General Data Protection Regulation
- How to write a GDPR privacy notice – with documentation template examples
Rethinking Your Marketing Processes
We’ve already seen some possible ways GDPR can impact your opt-in tactics and list management strategies. In some cases, working toward GDPR compliance may require a substantial rethink of many of your traditional and digital marketing processes.
For example, the new law makes it clear you must obtain positive opt-in (not implied or default opt-in) in order to legally collect personal data, which means some lead capture tactics may potentially run afoul of the GDPR.
Another crucial area to recheck for GDPR compliance is your marketing automation platform or CRM. This is most likely where the bulk of personal data resides, so it’s an important item in your data processing inventory.
There are definitely more components in your marketing process that need to be looked into. Check out the following resources to help prepare your marketing strategy for GDPR compliance:
- GDPR for Marketing: The Definitive Guide for 2018
- GDPR for marketers: best practice, tips, and case studies
- GDPR Checklist for Marketers [PDF]
- What GDPR Means for Marketers [Infographic]
Conducting a Cybersecurity Review
Article 32 requires companies to put in place “technical and organizational measures to ensure a level of security appropriate to the risk”, and provides practical guidelines for handling personal data in a secure manner.
The Article further stipulates that in order to securely handle personal information, companies must use the latest available tools, keep only the minimum amount of data possible for performing a task and adjust their security measures to match the risk and impact of a breach.
Violations of Article 32 carry hectic fines of up to €20 million or 4% of your previous financial year’s worldwide revenues (whichever is higher). So, you should complete a comprehensive review of your cybersecurity posture. Here’s a couple of resources to help you do this:
- Guide to Cyber Security Compliance with GDPR
- Preparing for Compliance with the General Data Protection Regulation
- Why You Need Cyber Security Training For GDPR Compliance
Auditing Third-Party Data
One common question that gets asked a lot in relation to the GDPR is whether the new regulation allows the use of purchased or rented third-party data. The UK’s Information Commissioner’s Office (ICO) lays out guidelines for businesses to properly use third-party data once the GDPR takes effect:
- Check if the vendor has provided contacts clear, concise, and accurate privacy notices
- Did all the contacts in the bought/rented database give consent as defined in the GDPR
- Make sure that the contacts explicitly allowed their personal data to be shared and indicated in what manner
- Assess the vendor in terms of reputation, complaints, data collection processes, etc.
- Require the vendor to put all the above information in writing
- Test samples of the data for accuracy and validity
- Remove unnecessary data; keep only what you need
- Provide contacts with your own GDPR-compliant privacy notices
- Ensure that contacts give you explicit and clear consent
- Give contacts the choice to opt-out
Different sources warn that using third-party data always carries some level of risk. Once you buy or rent third-party data, you need to fully understand your responsibilities and must be ready to handle any complaints or legal actions as a result of using it. Here are a few helpful materials on this subject that you should definitely pay attention to:
- Using Marketing Lists (ICO Guidelines)
- GDPR Q&A – Third Party Data
- What does the GDPR mean to your third-party data processors?
- GDPR Checklist for Third Party Agreements [PDF]
Assigning Data Protection Responsibilities
Under Article 37, the GDPR requires an organization to appoint a data protection officer if it meets any of the following three conditions:
- it is a public agency,
- it’s engaged in the regular or systematic large-scale monitoring of people, or
- it processes sensitive data on a large scale.
A data protection officer (DPO) acts as the “independent advocate” for the proper treatment of data subjects’ personal information in a company, similar to an internal auditor. It’s clear under Article 37 that only specific organizations must designate a DPO, but most experts contend that the language is wide open to interpretation.
So, if you’re still unsure whether your company needs a DPO, the following resources should help you decide:
- GDPR Compliance: What is a Data Protection Officer and Do You Need One?
- GDPR Data Protection Officer
- Checklist for Data Protection Officer
Getting Professional Help
With nearly 9 in 10 companies still unable to get a good grasp of some GDPR basics, it makes sense that most businesses seek outside help when navigating the uncharted waters of GDPR compliance. The demand for GDPR expertise is so strong, an entire cottage industry has now sprung up around GDPR consulting.
Despite all the valuable resources available out there, we strongly recommend against DIY GDPR compliance. There’s just no substitute for expert opinion on the many legal and technical questions involved. Here’s a couple of guides on finding and getting the right GDPR advisory services:
- 4 Tips for Choosing the Right GDPR Consultant
- Questions to Ask GDPR Consultants Before You Sign the Contract
The Takeaway: The countdown to the May 25 deadline grows smaller and smaller. As you work toward GDPR readiness, it’s important to look at the new regulation as an opportunity to improve how you manage your data assets. If you move past the FUD, the GDPR looks more like a way to strengthen your core business as a data-driven organization, and less like an expensive mistake waiting to happen.