On May 25, 2018, the new European Privacy Act – the General Data Protection Regulation or GDPR – will enter into force. Its goal is to protect consumers from abuse of their personal data.
In today’s data-driven economy, this has significant consequences for all companies that hold the personal data of EU citizens. Importantly, it isn’t only data on your customers – but also on prospects, suppliers and even your own employees. All kinds of companies are impacted: B2B as well as B2C, small as well as large, operating in every sector. And compliance will involve every part of the company, including communications and marketing.
So here are 10 tips for communication managers and marketers to help your company handle its GDPR requirements:
- Document how you handle data, including for the data you collected in the past. Identify which personal data is circulating within your organization, who has access, where the data comes from, what you are doing with it, and how you could potentially exchange it with third parties.
- Provide a good privacy policy – one that is tailor-made to your company and that uses clear language. Identify which cookies and data collection methods you use, and explain why you collect the data. Double-check that your terms and conditions, contracts, etc. are up to date and comply with the new regulations.
- Send marketing messages only to those people who have explicitly indicated that they want to receive them using a (double) opt-in. Be aware that you can no longer use a pre-checked checkbox on forms.
- The opt-in requirement is retroactive. If you didn’t get the permission in the past, you need to go back and get it from everyone in your databases.
- If you get personal data through a third party, you must inform the affected people within 30 days, and let them know how you will use their information. Use your creativity to do this in a commercially attractive way!
- Always give everyone the opportunity to customize their preferences. And if someone has questions about his or her data, you must respond within 30 days.
- Individuals can also ask to be “forgotten” at any time (the “right to be forgotten/right to erasure”). You must then delete all their data from your databases. If you have passed their data to third parties, you are responsible for making sure this data is likewise removed from those databases.
- Are you using external services and solutions? Confirm that the vendors are GDPR-compliant. Make sure you have a written agreement (with the necessary security clauses) with any company or individual consultant you work with, e.g. the subcontractor who sends out your digital newsletters, etc.
- If, despite all your precautions, you are the victim of a data loss or theft, you are required to report it to the Privacy Committee within 72 hours. If important data (e.g. relating to e-commerce) has been affected, you should also inform the users. Work out a procedure to detect, investigate and report data leaks as quickly as possible.
- And finally, to ensure that the rules regarding the use of personal data are properly observed, consider appointing a Data Protection Officer (DPO). For some organizations, including government agencies, this is mandatory.
Using new challenges to create new opportunities
Achieving and maintaining compliance with the GDPR is going to cost companies time and money. But the stricter game rules also create new opportunities. So be creative! You can use GDPR compliance in your marketing and communications messages to show that you take the privacy of your customers seriously. This can become a platform for building customer trust in your company and brand.
Another advantage, especially for companies that are active internationally, is that GDPR creates international uniformity. And where Europe used to lag behind, for example, American legislation, other continents are now mirroring Europe. You can highlight this leading and pioneering position amongst international customers and markets.
Want to learn more about GDPR?
Here are a few resources:
