The new General Data Protection Regulation (GDPR) comes into effect on 25th May 2018. It’s an EU framework which governs how personal data is stored and handled and so has far-reaching implications for businesses about how customer information is collected and managed.
What is GDPR?
GDPR replaces the current Data Protection Act and aims to improve the security of personal data. It is built on the principle of ‘privacy by design and by default’ which means that organisations must consider the impact that processing personal data can have on an individual’s privacy. Among other rights, your customers will have the ‘right to be forgotten’.
You can find out more on at the Information Commissioner’s Office website, but in summary GDPR means your customers have:
There are also rights related to automated decision making and profiling – this is about the protection of individuals against a potentially damaging decision taken without human intervention (ie. automated opt-in to email marketing).
What does it mean to your business?
Businesses of all shapes and sizes need to take a detailed look at how they manage, use and store customer data. In a world where we use cloud computing and smartphones, and work from various locations, this is likely to be complicated.
You’ll need to know exactly what personal data you hold and where it is located. It will be necessary for you to have a procedure in place to ensure the complete removal of this data upon request.
As well as looking at the security of your IT infrastructure, it’s important to look at the systems and processes you have for collecting, storing, accessing and managing customer data. You’ll also need to consider how you can mitigate accidental, malicious and criminal data security risks.
What are the implications for marketing?
From a marketing point of view, the main issue is one of ‘consent’. You will need to ensure customers proactively opt in to marketing contact, whether that’s via email, post, SMS or other channel. It isn’t sufficient to ask a customer to untick a box if they want to opt out, they have to undertake the step to opt in themselves.
You will need to review how you gather information about customers and consent for marketing and email marketing purposes and ensure that every aspect is compliant.
Managing compliance with GDPR
Every business is different but broadly speaking preparation for GDPR will entail:
Further reading: BT has produced an excellent guide to GDPR.