GDPR Compliance: Tactical Steps for Companies to Prepare
The deadline for the EU’s General Data Protection Regulation (GDPR) is creeping toward us, and it’s essential for companies to get their data ducks in a row to ensure they don’t fail the GDPR compliance test.
Below are some of the top takeaways from our recent webinar GDPR: Critical Steps You Must Take to Ensure Compliance with ObservePoint’s Clint Eagar and Tealium’s Chris Slovak.
A Few Things to Remember about GDPR Compliance
GDPR Applies to You
The truth about GDPR is that compliance is required for any digital company offering goods or services to EU citizens—even if those services are free. This makes GDPR a data privacy regulation with global scope. Failure to comply could result in a hefty fine.
Consent and the Right to be Forgotten
Consumers need to give explicit, informed consent before your company can gather data about them. End of story.
In addition to mandatory consent, the GDPR also mandates companies must uphold the right to be forgotten. The right to be forgotten means that EU citizens can require companies to erase their data sets, which must be deleted without undue delay (within 24 hours).
Data Governance Is about Gaining Trust
Customer-centric businesses use data governance to protect their customers and gain their trust and loyalty. Working towards GDPR compliance can help companies reevaluate how their data collection practices should protect the consumer.
Getting Ready for GDPR
Here are 5 steps to help you get on track for the May 2018 deadline:
- Know Your Vendors
- Build a Data Inventory
- Build Controls, Develop Policies and Procedures
- Create a Data Governance Panel
- Provide Clear and Accurate Notices and Communications
1. Know Your Vendors
First 30 days: start creating a database of all technologies deployed on your site. Know where your data is being sent and how it is being used.
First 1-3 months: document all of your technologies. This is part of what GDPR refers to as an ongoing data protection impact assessment (DPIA). You should be able to answer the questions:
- Who is the business owner?
- Why is this technology on our site?
- What data is being collected? Is there personally identifiable information (PII)?
- Where is the data being stored? How is data transferred?
- Who has access to this data?
Make sure to continue to update this list over time.
2. Build a Data Inventory
Building a data inventory involves the following steps:
- Agree on data sensitivity both from a legal and experience perspective.
- Agree on the data needed to run marketing vs. operations.
- Document data requirements for running the business.
- Document where the data is stored.
- Check vendor integrations.
As part of this process, you need to know where your data is being stored and transferred. Any personally identifiable information should remain as secure first-party data so that you’re not putting your customer’s PII at risk.
3. Build Controls, Develop Policies and Procedures
Building controls, policies and procedures involves the following steps:
- Verify proper contracts with your vendors, outlining how data is to be used.
- Create governance policies and processes.
- Update internal and external communications. Know how data is being shared.
- Configure vendors for least access to data.
- Create data audit guidelines and tests.
- Test and audit internally for compliance.
A designated data governance executive should be appointed to serve as the gatekeeper of all technologies and data being used, and should lead efforts in privacy, auditing and the right to erasure.
4. Create a Data Governance Panel
Your data governance panel should be comprised of all stakeholders responsible for ensuring data is used properly and vendors are selected cautiously. This panel could include the IT department, your legal team and your head marketers.
5. Provide Clear and Accurate Notices and Communications
- Provide customers with explicit opt-in/opt-out.
- Communicate with technology vendors on evolving data usage and compliance.
- Ensure the right to be forgotten.
GDPR Compliance as a Competitive Differentiator
While working toward GDPR compliance will likely put a strain on companies’ resources, customers will respond positively to brands that value privacy. Companies should take advantage of the requirement to comply by being transparent with customers about efforts to respect their privacy and identity.
Putting the customer at the center includes protecting their data. Consequently, working toward GDPR compliance will make it that much easier to delight customers.