Dos and Don’ts of Data Security for GDPR Compliance

GDPR compliance

If you’re not ready for the EU’s incoming General Data Protection Regulation, better known as GDPR, it’s high time you started getting everything in order.

This can’t be emphasised enough. GDPR comes into effect on May 25th 2018 – but many companies still aren’t prepared. In November, a Trends Report from British software and services company Advanced showed that a worrying 25% of organisations were either unprepared or – even more concerning – unaware of the incoming changes.

GDPR readiness Advanced Trends Report

(Image source: trends.oneadvanced.com)

Other sources in the same month suggested that, globally, unpreparedness was even higher. Computer Weekly, for instance, reported that more than 40% of marketers felt that their organisations weren’t ready for GDPR, which, when it comes into effect, will have significant implications as to how we all communicate with customers, capture lead information, and conduct our businesses in general.

Smart Insights, too, recently surveyed over 200 people – of which, only 6% said that their company was ready for GDPR.

Is your company GDPR ready?

(Image source: smartinsights.com)

In all, it’s a little hard to grasp an exact figure on how prepared or unprepared organisations are for GDPR – but it’s safe to say that there are still many companies out there that aren’t yet ready for the changes.

So, let’s take a step back a moment and answer the most pressing question before we continue.

What Is GDPR?

GDPR is an EU regulation that provides a new framework for data protection laws. In the UK, it will replace the 1995 Data Protection Directive, which the country’s current laws are based upon.

And let’s be clear about one thing – forget about Brexit. It doesn’t matter that the UK will soon be leaving the EU – what matters is whether or not your organisation does business with people or other organisations which are in the EU, or indeed if your organisation handles data that it is at all concerned with EU residents.

And just to be clear about one more thing – there will be a new data protection bill in the UK after the country leaves the EU, but this will implement the vast majority of GDPR, and in any case, GDPR will still have huge implications on the ways in which UK businesses handle data concerning organisations and residents that do reside within the EU.

What this essentially means is that even if you have something as simple as a contact form on your website – published on the World Wide Web, and therefore accessible to everyone everywhere, including EU residents – through which you can capture personal data (names, email addresses, etc.) from EU citizens, GDPR affects you.

GDPR summary

(Image source: wired.co.uk)

GDPR’s main objective is simple enough to grasp – to give greater data protection rights to individuals across Europe. It will also “harmonise” data protection laws on the continent. GDPR is a regulation, not a directive. Directives – such as the UK’s 1995 Data Protection Directive – are enforced by individual countries, whereas GDPR is a regulation, which means that it will become law in all 28 countries across Europe as of May 25th 2018.

What Are the Risks of Noncompliance?

Huge.

Seriously huge – which is precisely why it’s very concerning to read that so many companies are still unprepared.

Are you sitting comfortably?

The penalty for infringement of articles 5, 6, 7 and 9 of GDPR will be an eye-watering fine of up to €20 million or 4% of turnover – whichever is greater. The penalty for infringement of articles 8, 11, 25-39, 42 and 43 will be a fine of up to €10 million or 2% of turnover – whichever is greater.

It’s fair to say that the EU means business – so you need to be prepared.

The risks of non-compliance with GDPR

(Image source: computerweekly.com)

The Dos and Don’ts of Data Security for GDPR Compliance

Ok – now that we’ve got your attention, let’s list the dos and don’ts for GDPR compliance.

Let’s start with the don’ts.

First – don’t panic. Yes, the fines are enormous, but meeting the requirements of GDPR isn’t overly complicated, and will in fact lead you to a state of enhanced security, which will have many benefits for your business.

However, don’t bury your head in the sand. GDPR is coming, and you need to take action.

There are many technology solutions available to help you become GDPR compliant – but don’t assume that you will be able to achieve compliance with technology alone. What’s required on top of any technology you implement is internal policy and processes, and to ensure that all of your employees know what’s required of them.

Finally, don’t assume that you will only be subject to those astronomical fines if you suffer a security breach – you need to be able to demonstrate compliance at all times, and the regulator has stated that it will be performing regular and random audits on companies to ensure that correct polices and processes are in place.

Now onto the dos.

Obtaining Consent

Today, practically all businesses operating a website are trying to capture contact information from customers and prospects in order to communicate with them for sales and marketing purposes.

You will no doubt be involved in this type of activity, too. You will probably have a contact form on your website at the very least, if not a few pop-ups enticing people to sign-up to your newsletter. And you will likely be involved with lead generation, whereby you give away free content – such as an eBook or a white paper – in exchange for personal data such as names and email addresses.

This is all standard marketing practice. However, come May 25th 2018, there are new consent requirements regarding communications that must be explicitly given by any contact you capture.

Presently, when you capture someone’s personal contact information, no consent needs to be explicitly given for you to subsequently send communications to the individual. When a website visitor downloads an eBook, you send them sales and marketing messages, and aim for a conversion.

In other instances, when someone fills out a form on your site, you can currently get away with a pre-ticked check box that essentially implies consent from the individual that you may contact them – implied in the sense that users must take an action (i.e. un-tick the check box) to opt-out of communications.

But all that’s about to change. Under GDPR, users will have to take an explicit action to opt-in. Indeed, to use the words of the legislation, consent must be “freely given, specific, informed, and unambiguous” and be signified “by a statement or by a clear affirmative action”.

This means that it is no longer enough to assume consent – even if a prospect freely hands over their contact information. In addition, they must give actual, “specific, informed, and unambiguous” consent that their data can be used and that they can be contacted. Pre-ticked boxes are specifically mentioned in the legislation as no longer being good enough to meet with compliance standards.

However, an “affirmative action” can include ticking a box to express consent. Essentially, it’s the action that makes the difference – unless users take a specific action to opt-in, it must be assumed that they have opted out, meaning that they cannot be contacted and their data cannot be used.

In addition, data subjects retain the right to withdraw consent at any time – and it should be as easy to withdraw consent as it is to give it.

The following infographic from foiman.com illustrates consent requirements under GDPR clearly.

Consent requirements under GDPR

(Image source: foiman.com)

The Right to Be Forgotten

In some ways an extension of giving users the ability to withdraw consent, under GDPR, all individuals will have the right to be forgotten by any company that holds any data at all about them.

What the right to be forgotten includes, however, is that all data subjects are provided with a clear means of accessing any of the data any company has collected from them at any time. This means that you will have to implement the means of giving data subjects that access as and when they want it.

What’s more, data subjects retain the explicit right to have their data completely erased and no longer processed at any time.

This is the right to be forgotten, and you must implement processes and policies that give your contacts that right in an instant with no questions asked.

Data Focus

Another important do concerns creating policies over what data your organisation can and cannot collect from individuals.

Today, many companies are guilty of asking users for more data than is actually needed. For instance, if someone wants to download an eBook from your website, do you really need to know what their favourite colour is, how many times they check their email each day, or what their preferred social network is?

“No,” will be the most honest answer in the vast majority of cases.

Of course, organisations – and marketing departments in particular – like collecting this type of data, because it helps to build up a better profile of our prospects, which enables us to market to them better. However, under GDPR, all organisations will be legally obliged to justify all the data they collect, and how it is processed. And so, come May, you will have to focus only on collecting and processing the data that you actually need from customers and prospects, and forget about all the “nice-to-haves” that you may be currently relying upon.

So – Are You Ready?

The deadline for GDPR compliance is looming large, and if you’re not ready now, you’ve only got a few short months left to prepare. You’ll need policies in place to prove that you are GDPR compliant, as all businesses are subject to random audits – even if no complaint has been made.

So, ensure that everyone has the right to be forgotten, that you are obtaining explicit consent from contacts, are giving individuals access to their data, are collecting only the data you need, and you should be compliant.

In addition, it is highly recommended that you get in touch with your email, CRM system, and other marketing technology providers to find out how they are each recommending that their clients (i.e. you) can become GDPR compliant when using their software. The biggest players on the market will no doubt be right up to speed, and will be making compliance as easy as possible – though if you’re with a smaller provider, it might not be so straightforward. Either way, it’s important that you check, and take advice where necessary.

Here’s a six step guide for GDPR compliance from Computer Weekly.

Six Steps for GDPR preparation

(Image source: computerweekly.com)

If you’re at all concerned with the impending GDPR legislation, or are in need of help ensuring that your company is compliant by the May deadline, get in touch with us here at Cope Sales & Marketing – www.cope-salesandmarketing.com.

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave