GDPR: Survival guide for latecomers

For many companies, the GDPR (General Data Protection Regulation) is the thick dossier lying unopened on the desk, which they’ll “get to next week”. Yet, time is running out! On 25th May 2018, the GDPR will well and truly come into effect.

And with it, processing personal data will move away from a simple system of declaration to that of responsibility and audits. And a warning to anyone thinking of ignoring this responsibility…it could cost you dearly: a fine of €10 to 20 million or 2 to 4% of global turnover depending on the infringement. This raises a few key questions: how do you make the most of the upcoming weeks to get GDPR compliant? And more importantly, where do you get started? This is our little survival guide aimed at everyone running a bit behind…

#1 Evaluate the risks

Even when in a hurry, you cannot overlook this tedious task. The aim is to draw up a complete picture of the risks as well as a detailed map showing when data is processed, and the solutions required. To do so, list all the personal data you handle and analyse each step in its lifecycle from a security viewpoint.

What is the nature of this data?

• For what purposes is it used?
• Where is this information stored?
• Is access secure, for example, using two-factor authentication?
• Is its content protected e.g. with encryption?
• Do third parties have access to this data? For what purposes? In what conditions?
• Are the operations performed on this information properly logged?
• Are the procedures regarding this information documented?

These questions are all highly relevant since the GDPR requires businesses to directly incorporate personal data protection into their operating and engineering model — hence the notion of ‘Privacy by default’ or ‘Privacy by design’. They must also be capable of accounting for the measures and initiatives taken day to day (accountability). Tiresome — we did warn you — but essential.

(EXTRACT OF THE WHITE PAPER ON HOW TO ENSURE YOUR DMP IS GDPR COMPLIANT)
What makes data personal?
The GDPR defines personal data as any information related to a physical person that can be identified, directly or indirectly, by an identifier such as a name, ID number, location data, an online identifier or one or several factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. Therefore, cookies constitute personal data since they can indirectly identify the person. In concrete terms, with the GDPR, cookies can only be activated with the explicit consent of the user once they have been informed of the purpose.
WANT TO KNOW MORE? > DOWNLOAD THE WHITE PAPER

#2 Have a spring clean and minimise data

A good way to comply with the GDPR’s mandates is to only collect data when it’s necessary. In short, that means only gathering the data needed for your services. Why ask for information regarding the profession or number of people in the household if this information has no bearing on the end service? When it comes to the GDPR, colleting excessive amounts of data poses considerable and unnecessary risk.

Let’s be absolutely clear, balancing data collection with its use necessitates data governance. Governance which will be that much easier, from establishing its principles to implementation, if the data is centralised within a Customer Data Platform (CDP)— and not spread out across multiple bases and applications.

Hence why the analysis task mentioned previously is so important. But don’t just stop there: take advantage of the opportunity to perform a huge spring clean of your data and adopt the minimisation principle advocated by the GDPR.

#3 Overhaul your consent practices

You have surely started to receive emails along the lines of: “Hello, are you still interested by our information? If you are and don’t want to miss anything, please click below to keep getting our emails each week, etc.” This type of email will be increasingly popular in the coming weeks for one simple reason: the GDPR requires data to be collected lawfully, fairly and in a transparent manner.

In simple terms, every piece of data must be obtained in exchange for a clearly defined and described service. One important clarification: providing personal information cannot be a prerequisite for providing the service — doing so invalidates the consent as it is no longer considered to be freely given.

Evidently, the GDPR clearly heralds the death of ‘soft opt-in’ and ‘passive opt-in’. Gone are the days when opening an account for a service included a pre-checked box to sign up for a newsletter. Each purpose needs its own consent; and each consent must be strictly limited to the necessary data. Hence the abundance of ‘reconfirmation’ initiatives — like the aforementioned emails — as companies strive to comply with GDPR’s consent conditions and consequently clean up their contact databases.

This means you need to review your consent forms. And while you’re at it, you may as well also add others to allow anyone to rectify, ask for a copy of or restrict the processing of their personal information.

#4 Get ready for a new form of cookie management

You may be wondering: what about cookies? Do they also fall under the GDPR requirements? The answer is yes, but the precise conditions are still being ironed out through the ePrivacy regulation. While GDPR focuses on the general protection of personal data, ePrivacy takes the key points of the GDPR to focus on electronic communications.

Instead of waiting for this new regulation to take shape, it seems opportune to abandon the usual phrasing of “By browsing this site you accept the use of cookies” for a much more detailed and instructive description of the cookies’ purpose. This new mechanic poses both a technical and organisational challenge that deservedly requires the attention of the marketing team responsible for digital activities.

For businesses that have to manage multiple tags across their web platforms, the best solution is to use a TMS (Tag Management System) specifically designed for handling personal data.

#5 Adapt your structure & educate your staff

Although evaluating risks as well as overhauling useful data and how you obtain consent are all important steps in getting GDPR compliant, they are not enough. The new regulation goes even further, compelling the entire company to think about personal data protection. And for that, the regulation stipulates several scenarios where the appointment of a DPO (Data Protection Officer) is necessary. In short, given the cases described, it would seem that appointing a DPO is unavoidable for any activity like e-Commerce.

However, every single employee, not just the DPO, must be informed of the risks involved for the company if it handles personal data too loosely. An initiative that must be sustained well beyond the 25th May 2018 deadline.

(EXTRACT OF THE WHITE PAPER ON HOW TO ENSURE YOUR DMP IS GDPR COMPLIANT)
The DPO’s duties?
A DPO takes on the roles of consultant, coordinator and auditor, whose tasks are to:
-Advise and inform the processor;
-Ensure the law is obeyed;
-Serve as a point of contact for compliance authorities.
WANT TO KNOW MORE? > DOWNLOAD THE WHITE PAPER