Taking the headache out of GDPR compliance - Lead Forensics

Taking the headache out of GDPR compliance

The GDPR compliance deadline is nearly here, but have no fear! It’s not too late to get up to speed and ensure your business is primed and ready for action.

GDPR, which stands for General Data Protection Regulation, comes into force on 25 May 2018. It is one of the biggest and most disruptive changes to ever happen to businesses operating in the EU.

In a nutshell, it offers greater rights and protections for EU citizens, with regards to their personal data and how businesses collect, use and hold on to it.

For some organisations, this could mean a complete shake-up of systems and processes is called for, along with some new ideas when it comes to marketing. For others, who are already well across existing data protection laws, it could just require that some additional enhancements are made.

But with so much information and advice written on the subject, there’s a risk that it could all start to feel a little overwhelming – especially when you’re busy getting the day job done. So, we’ve made it simple for you.

We’ve pulled together the essential information your business needs to know, along with creating a handy checklist you can download and keep. We’ve also put together some marketing-specific guidance, designed to ensure teams are planning and working in a GDPR compliant way.

The big picture – what businesses need to think about

The ICO – the organisation responsible for regulating and enforcing GDPR in the UK – has issued pages and pages of guidance on GDPR and what the new rules for processing personal data are.

But where should you start, when faced with so much information and technical jargon?

To help you, we’ve broken the process down into some key action points – from who needs to know about GDPR within the business, to understanding what rights individuals will have under GDPR and the types of systems and processes you need to put in place.

Awareness – It all starts with raising awareness. Everyone within the company needs to be aware of GDPR, what it is and how the new rules will affect them. As the new regulation covers the processing of any form of personal data, it extends far beyond marketing and will have implications for many other departments, including HR and accounts. Make sure everyone knows what it is, what they need to do to be compliant and what the potential consequences are for getting it wrong (in most cases, a hefty fine).

Assign responsibility – GDPR stipulates that any business with over 250 employees must employ a dedicated Data Protection Officer (DPO), who will be responsible for ensuring that the business collects and secures personal data responsibly. But even if you’re not legally required to, it’s a good idea to give someone within your company responsibility for heading up and leading on your GDPR compliance. That way, you will know it is being actively managed and progressed, ahead of the 25 May deadline and then moving forward.

Undertake a data audit – Before making any procedural changes, you need to know what the current situation is. Conduct a personal data audit to document what you currently hold, where you got it from and how you are using it. It may be that some, or all, of the data you hold is already compliant under the new regulations. To be sure, you need to be clear about where it’s come from, how it was collected, what consent has been given and recorded, and how it is being used. Be aware that ‘personal data’ under GDPR refers to any information that can be used to directly or indirectly identify an individual. This means it covers a lot more than previous data protection laws have done.

Update your privacy policy

You need to make it very clear to individuals how you plan to use their personal data. You’ll need to provide a detailed explanation that is specific and unambiguous. Individuals must then be able to give their consent in a similarly clear and affirmative way (no automatic opt ins). Check you have an up-to-date privacy policy that states who you are, what you will use the data for, how long you will keep it and also points out that individuals have the right to complain to the IOC, if they ever feel their data has been mishandled. The emphasis will be firmly on you to prove and evidence that you have gained specific consent.

Comply with the rights of individuals

Individuals will have a lot more rights under GDPR, where their personal data is concerned. This includes:

  • The right to be informed
  • The right of access
  • The right of rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object

You need to be able to handle any requests from individuals, so a well-organised database and set processes are therefore vital. For example, if someone requests that their data is erased, you need a set process mapped out for how you will manage this. The business will have just 30 days to comply and generally won’t be able to charge anything for doing so.

Update your systems and processes

We’ve touched on a few of the main processes already, but here is a list of the other key issues you need to consider:

  • Lawful basis – what is the lawful reason (6 of which are specified under GDPR) upon which you are collecting and processing each piece of data? There must be a specific, lawful reason and this must be clearly outlined in your privacy policy.
  • Record keeping – how will you document and evidence the consent you have been given from individuals? You will be responsible for proving you have acted in a GDPR compliant way, in the event of a complaint or investigation.
  • Managing requests – how will you manage requests from individuals and also action them within the required timeframe? Who within your organisation will be responsible for this?
  • Data breaches – what processes will you put in place to detect, report and manage any data breaches that may occur?

For some more simple, bite-sized steps you can follow, download this free guide: 12 easy steps to GDPR compliance.

Spotlight on marketing

While GDPR has implications for any department within an organisation that deals with personal data, it is particularly important that marketers are across it. When formulating plans and strategies, it’s vital that teams understand the rules and can work effectively within them.

The good news is, GDPR doesn’t have to signal the end of sales and marketing! It may simply mean a rethink and introducing some extra due diligence and quality control, for example when working with third parties.

For more detailed advice and top tips, see: What does GDPR mean for B2B marketing?

To help you further, also check out this handy factsheet we’ve developed specifically for marketers, which covers everything you need to know about the new rules – from understanding the key terminology, to advice on how to prepare and what is and isn’t allowed when GDPR comes into force:

Just don’t delay…

The most important thing for any business, is to act now. It’s not going to be a task on the ‘to-do list’ that can be sorted over night. There are lots of elements that need to be considered and checked, as well as multiple people who may need to be involved, so acting early really is key to reducing your stress levels.

Embracing change is never easy, but in reality, GDPR may not be as scary as you think. If you’re already working hard to meet current data protection legislation, then you’ll be well on your way to compliance. And if you’re also using inbound marketing tactics, such as content marketing, along with the Lead Forensics tool to help you capture online leads, then you’ll be well ahead of the game.

As for us, here at Lead Forensics, if you’re wondering how GDPR will affect our data and services, the answer is here: How Lead Forensics complies with GDPR

DISCLAIMER: Lead Forensics is a global market leading SaaS organisation.  We have conducted extensive research into the GDPR and have an active working knowledge intended to help our clients to become better prepared ahead of the GDPR coming into force.  Lead Forensics however does not provide legal advice on the GDPR and cannot be held responsible for the GDPR compliance of any organisation other than its own, it is the responsibility of each business to ensure their own compliance with the GDPR.  If you have any need for legal advice, please contact a solicitor or visit the ICO website for further informationwww.ico.org.uk