Few changes over the last several years have as many practical repercussions on the way marketers do their job as GDPR. Our recent research into business readiness, run through Product Hunt, was met with thousands of responses.
There is a real eagerness across borders to share and learn when it comes to this topic – don’t forget it’s just as relevant for the US as it is for APAC marketers, as the regulation affects anyone collecting, processing and storing personal data of European citizens.
Another thing to keep in mind is that the regulation doesn’t exempt organisations based upon their size. This new approach to data protection is the EU’s way of ensuring that companies big and small (profit or non-profit), are taking data privacy seriously and incorporating this mentality within the DNA of their company.
While larger corporates often bring in external legal teams to manage their transition to GDPR-compliance (and keep clear of fines up to 4% of global revenues or 20 million Euros), we asked ourselves “where are small businesses in terms of preparing themselves for GDPR?”
Our study of over 4,000 small business about the state of their GDPR preparation noted that the average readiness score was a disappointing 4.1 out of 10 and only 29 percent are encrypting their personal data. Despite the low level of compliance, 91 percent of small businesses still report collecting personal data from their clients.
With less than a month to go until the May 25 2018 deadline, it’s time for small businesses to roll up their sleeves and do everything possible to ensure they are putting data privacy first, in their quest for GDPR compliance.
If they haven’t done so already, the three steps below are imperative. They will take the most time and these are going to matter the most when the auditors knock:
Cleanse the database
New and explicit consent will have to be obtained before sending email marketing campaigns to your legacy contacts unless you have a record of this specific consent to receive such communication from you.
Check your current data status and document:
- What personal data do you already hold?
- Where did it come from and who have you shared it with?
- Where are your vulnerabilities and where can you be held liable?
- Where your data currently lives and classify this information
- Ensure you have procedures in place to detect, report and investigate data breaches
Soft opt-in is not considered as explicit consent under GDPR, it is not an acceptable practice. Soft opt-in is a form of temporary consent given by individuals while collecting their email details. Regardless how much individuals engage with your marketing communications, consent must be asked in explicit language.
Start this step as soon as possible to lower your risk exposure as even one complaint report from your outdated contact could throw the legitimacy of your marketing program into question.
Vet your third party providers
It’s important to understand where exactly the personal data that you have collected on your customers is being shared and transferred. If this data is being shared into places like your CRM system, email service provider, or customer support system for example, you need to ensure that these third-party providers themselves are GDPR-compliant. This is often the weakest link in the journey to becoming GDPR-compliant. Here are 12 important questions to ask all of your third party providers regarding their level of compliance.
A data registry is highly recommended to be put in place as one of the first steps in your organisation. This is the foundation of your GDPR compliance journey. Do not underestimate how long this step will take as it is likely going to be a cross-departmental effort.
Review the data collection process
Classic growth hacks such as scraping LinkedIn email addresses and buying mailing lists won’t hold up in court after the May deadline. Under GDPR, you need to know when the consent was obtained (data and time stamp, for example), and the specific purpose for which the consent was given. Embed privacy by design and default into all projects – don’t collect more personal data than you need, use anonymisation, pseudonymisation and encryption.
The next three steps are equally as vital in the quest for GDPR-readiness. These cover the internal workings as a company, the rules all who work with customer data, should be keeping front of mind at all times. GDPR is working to ensure it is a mindset within businesses, not just a box ticking task.
Ensure that the senior management teams are aware of GDPR and the likely impact on your organisation to guarantee internal buy-in. As you go through this process, remember to inform and educate your employees and personnel on the collection and treatment of all customers’ data.
Change the mindset
According to our Product Hunt study, only 47% of quiz respondents always ask their customers for their consent prior to contacting them. Worse yet, only 50% of respondents make it easy for customers to withdraw their consent. As of May, customer have the right to;
- Be forgotten; be informed; have personal data deleted; have a copy of their personal data (within a month, free of charge)
- Right to data portability – data electronically sent to them in a commonly used readable format
- Right to restrict automated decisions and profiling
- Right to object
Familiarise yourself with DPIAs
Work out when and how to implement Data Protection Impact Assessments in your organisation (note: exemptions exist for small businesses and low risk small-scale data usage).
Determine whether you need to appoint/contract a DPO (Data Protection Officer) who will be responsible for data protection compliance, acting independently and reporting to the highest levels of management. Make sure your contracts for all third parties contain the new provisions.
It is never too late to ensure readiness, therefore if brands act fast, they will significantly lower the risk of fines and strengthen their transition to GDPR-readiness.
Remember, GDPR isn’t designed to stop businesses from communicating with their customers. GDPR will lead to an increase in data quality, which is why the best and most resourceful marketers are seeing the bigger picture: that it’s an opportunity to gain more trust and respect from their clients who value the fact that their personal data is taken seriously and that their rights are being fully respected.