GDPR Compliance: Tactical Steps for Companies to Prepare

August 25, 2017 Jack Vawdrey

Globalinteraction

The deadline for the EU’s General Data Protection Regulation (GDPR) is creeping toward us, and it’s essential for companies to get their data ducks in a row to ensure they don’t fail the GDPR compliance test.

Below are some of the top takeaways from our recent webinar GDPR: Critical Steps You Must Take to Ensure Compliance with ObservePoint’s Clint Eagar and Tealium’s Chris Slovak.

Check out the webinar to get the full explanation on how to direct your company toward GDPR compliance.

A Few Things to Remember about GDPR Compliance

GDPR Applies to You

The truth about GDPR is that compliance is required for any digital company offering goods or services to EU citizens—even if those services are free. This makes GDPR a data privacy regulation with global scope. Failure to comply could result in a hefty fine.

Consent and the Right to be Forgotten

Consumers need to give explicit, informed consent before your company can gather data about them. End of story.

In addition to mandatory consent, the GDPR also mandates companies must uphold the right to be forgotten. The right to be forgotten means that EU citizens can require companies to erase their data sets, which must be deleted without undue delay (within 24 hours).

Data Governance Is about Gaining Trust

Customer-centric businesses use data governance to protect their customers and gain their trust and loyalty. Working towards GDPR compliance can help companies reevaluate how their data collection practices should protect the consumer.

Getting Ready for GDPR

Here are 5 steps to help you get on track for the May 2018 deadline:

  1. Know Your Vendors
  2. Build a Data Inventory
  3. Build Controls, Develop Policies and Procedures
  4. Create a Data Governance Panel
  5. Provide Clear and Accurate Notices and Communications

1. Know Your Vendors

First 30 days: start creating a database of all technologies deployed on your site. Know where your data is being sent and how it is being used.

First 1-3 months: document all of your technologies. This is part of what GDPR refers to as an ongoing data protection impact assessment (DPIA). You should be able to answer the questions:

  • Who is the business owner?
  • Why is this technology on our site?
  • What data is being collected? Is there personally identifiable information (PII)?
  • Where is the data being stored? How is data transferred?
  • Who has access to this data?

Make sure to continue to update this list over time.

2. Build a Data Inventory

Building a data inventory involves the following steps:

  1. Agree on data sensitivity both from a legal and experience perspective.
  2. Agree on the data needed to run marketing vs. operations.
  3. Document data requirements for running the business.
  4. Document where the data is stored.
  5. Check vendor integrations.

As part of this process, you need to know where your data is being stored and transferred. Any personally identifiable information should remain as secure first-party data so that you’re not putting your customer’s PII at risk.

3. Build Controls, Develop Policies and Procedures

Building controls, policies and procedures involves the following steps:

  1. Verify proper contracts with your vendors, outlining how data is to be used.
  2. Create governance policies and processes.
  3. Update internal and external communications. Know how data is being shared.
  4. Configure vendors for least access to data.
  5. Create data audit guidelines and tests.
  6. Test and audit internally for compliance.

A designated data governance executive should be appointed to serve as the gatekeeper of all technologies and data being used, and should lead efforts in privacy, auditing and the right to erasure.

4. Create a Data Governance Panel

Your data governance panel should be comprised of all stakeholders responsible for ensuring data is used properly and vendors are selected cautiously. This panel could include the IT department, your legal team and your head marketers.

5. Provide Clear and Accurate Notices and Communications

  1. Update your privacy policy.
  2. Provide customers with explicit opt-in/opt-out.
  3. Communicate with technology vendors on evolving data usage and compliance.
  4. Ensure the right to be forgotten.

GDPR Compliance as a Competitive Differentiator

While working toward GDPR compliance will likely put a strain on companies’ resources, customers will respond positively to brands that value privacy. Companies should take advantage of the requirement to comply by being transparent with customers about efforts to respect their privacy and identity.

Putting the customer at the center includes protecting their data. Consequently, working toward GDPR compliance will make it that much easier to delight customers.

To get the a full explanation of the tactical steps necessary to comply with GDPR, check out the webinar: GDPR: Critical Steps You Must Take to Ensure Compliance.

 

About the Author

Jack Vawdrey

A former student and present enthusiast of the humanities, Jack Vawdrey uses his love of language to explore the role of marketing and analytics technology in business. Jack joined the ObservePoint marketing team in August 2016 and serves as Managing Editor. Adamant about automation, Jack writes to educate the analytics and marketing community about the role of tag auditing and data governance in the enterprise.

LinkedIn More Content by Jack Vawdrey
Previous Article
Data Protection Compliance [Recap]
Data Protection Compliance [Recap]

This article summarizes a presentation by Clint Eagar and Ted Sfikas, talking about the need to prepare for...

Next Item
Top Takeaways from 30 Analytics Leaders Changing the Industry
Top Takeaways from 30 Analytics Leaders Changing the Industry

Top Takeaways from 30 Analytics Leaders Changing the Industry is a collection of value-packed insights from...