The General Data Protection Regulation (GDPR) is intended to strengthen and unify data protection for all individuals within the EU, which will have an effect on all businesses. In the wake of the GDPR, small and medium sized businesses will have to rethink their systems before the May 2018 deadline.
GDPR and Digital Marketing
Most digital marketing agencies run over a multitude of business systems, with even small agencies having a large number of different systems in place. These include CRMs, marketing automation, website tracking products, email, collaboration platforms and websites. Each of these systems contains personally identifiable information which will be subject to the new rules of the GDPR.
What is the purpose of GDPR?
GDPR is coming into force in order to protect an individual’s data. It includes the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
These each have nuanced definitions, but they basically mean that the individual must be told exactly what their data is being used for, be allowed to access, modify or delete the data and be able to make a legal case against the use of their data if it breaches GDPR.
Data Protection Options
There are several approaches that a business can take in order to comply with the GDPR in order to control your data. However, bearing in mind the impending deadline, it is important to choose an option that best suits your business model:
The first option is to delete information. This would involve making changes to the way your business operates, removing the need for certain systems and meaning that it is possible to delete associated data. This is a drastic but effective way to come up to the GDPR stipulations.
The second option is to migrate, which is to consolidate and organise the data, information and systems that you already have in compliance with GDPR.
Thirdly, it is possible to put in place some controls that mean that you can largely leave things as they are, adding in a layer of control.
Consider also implementing technology that can support your business on its way to being GDPR compliant.
Only the smallest organisations will be able to manually handle Subject Access Requests, the right to be forgotten and all of the other key processes that make up the GDPR. You will need to understand what exactly a new technology will offer in terms of bringing you closer to the stipulations of the GDPR for digital marketing, several of which we list below.
Running a Risk Assessment for GDPR and Digital Marketing
Does the search and classification technology cover all of the systems in your organisation? And, does the technology compliment the systems that you already have in place?
Will it provide a unified view of all of the corporate systems about what data you have?
Will it show which data is likely to fall under the GDPR, and will it identify which data contains personally identifiable information (PII) and sensitive PII?
Is it possible to implement and enforce data handling policies across all system in real time? And are the data handling processes repeatable and easily audited?
Will it automate (in an auditable way) the data held on Data Subjects, the right to be forgotten requests and other stipulations of the GDPR?
Is it possible to easily add to and adapt the system whilst still maintaining the right controls?
Using technology will make the transition to becoming GDPR compliant both quicker and easier, an essential for most businesses. However, do not forget that to be a fully compliant business there are many other areas that will require attention, such as edge security and antivirus as well as staff training, having a trained Data Protection Officer and creating a risk management strategy.
Have questions for us about GDPR & digital marketing compliance?