Tick off these 6 Points before 25th May for Complete GDPR Compliance
Arun Pillai, January 30, 2018
Your appointment with GDPR is just a month away. While there are many who have promised “guaranteed” GDPR compliance, there is only one who can actually accomplish it for you without fail every time – YOU! And it’s no longer a choice. It is a hard day’s work – true, but it also has its own merits.
Further, we have boiled it down to 6 essential steps for you to dot the i’s and cross the t’s of your organisation’s GDPR compliance before 25th May, and maintain the same after.
The Last Minute Checklist to Complete Your Company’s GDPR Compliance
Our extensive checklist covers:
- Indemnifying Campaigns against Regulatory Hurdles
- Collecting and Storing Consent
- Managing Data Securely
- Protecting Subject Privacy
- Processing Data Lawfully
- Establishing Legitimate Interests
- Aligning Communication Platforms
- Handling Sensitive Data
- Complying with Subject Rights (objection, erasure, rectifications, data transfer etc.)
- Employing Dedicated Compliance Teams
- Conducting Effective Information Audits
- Launching Opt-in/Opt-out Campaigns
Know Lake B2B’s Vigilant Data Licensing Procedure to Save Your Data from Decay
1. Do the final data audit a week or two before 25th May
GDPR takes data protection to new level. While it does protect subject rights, the rules are flexible to each user group. Launch your final data audit within the last two weeks prior to implementation for the most effective compliance.
Check whether your final audit can answer the following questions convincingly and comprehensively:
- What data do you hold and why?
- How do you collect the data?
- How and where is the data stored?
- What do you do with the data?
- Who owns and controls the personal data?
- Retention and deletion
- Who is responsible for the data and processors associated with data?
- Do you have adequate technology / process to adequately manage data processing?
Results from your audit should culminate into an Information Asset Register.
2. Make consent seeking a regular exercise from now on
- Keep record of all privacy notices and emails during consent, for future reference
Companies involving in lawful data processing through “legitimate interests” are obliged to document the consideration of data subject rights pre-processing, and are required to produce all privacy notifications and emails sent to concerned subjects to regulators during data audits and in cases of data breaches.
- Set an opt-in incentive budget (suggested: 2 – 4 GBP per consent)
While you are asking for consent from subjects to process their data, it does not have to be on pure goodwill. In fact, to make it a win-win for all, you can offer sign-up bonuses like gift cards, discounts , etc. This way, subjects are also encouraged to do an honest exchange and share more information.
It is proven that adding incentives for opt-ins attract more sign-ups and referrals. 2 – 4 GBP per consent is the standard incentive budget for B2B campaigns.
- Add opt-out options in all B2B communications
While emailing to businesses, the best practice is to notify opt-ins at the beginning (data capture point) and provide opt-out options in all communications henceforth. This is called a soft opt-in. GDPR compliance policies regarding opt-ins are less stringent in terms of individual business emails, but the opt-out options are a must.
- Enable single or (preferably) double opt-in options
Organisations must ensure their subject’s consent through unambiguous, explicit and transparent opt-in requests during the first point of contact. Post consent, each communication from the provider is obligated to contain a chance to opt out from said consent.
To ensure complete GDPR compliance, controllers/processors must ensure:
- Requested consent is not based on silence, inactivity or pre-opted boxes
- Consent clause is not “bundled” with other agreements or declarations
- Consent is not contingent with supply of services, when not required
- Data subjects are clearly informed about their consent withdrawal rights
- Consent withdrawal is as simple as providing it, ideally the same medium
- Separate consents are obtained for distinct processing operations
3. Maintain a black and a white list of contacts
- Make separate baskets for opt-in and opt-out contacts
UK’s supreme data regulator Information Commissioner’s Office (ICO) issued the following guideline regarding emailing businesses:
“You can send marketing emails or texts to companies. However, it is good practice to keep a ‘do not email or text’ list of any companies that object.”
Maintaining a white-list and black-list of contacts enhances campaign efficiency and checks the quality of your marketing database first-hand.
- Maintain a field for ‘consent qualification status’ in the database
GDPR requires organisations to record and manage ongoing consent. Apart from maintaining a contact white list and black list, the vital addition of a dynamic consent status to your master database enables your CRM in tracking and following up on your opt-in requests. Automation tools can integrate consent extraction as part of the lead nurturing process.
4. Do not upload any sensitive* data on the platform
Information related to minors, criminal or other conviction records, bio-metric data, health records are given special status under GDPR. Such information can only processed (even stored) under special circumstances and require authorization from public authorities.
*Genetic data, biometric data, data regarding health are some of the sensitive data categories mentioned under GDPR.
- Remove data related to criminal or any other convictions
Sensitive Information Processing
- Check whether you process data falling under “Special categories of personal data”
- Ensure consent taken for “Special categories…” data follow the specific GDPR compliance protocols
- Check Member States’ impositions for storing biometric, genetic and health data
Increase Your Campaign Deliverability by 85% By Leveraging Lake B2B’s Compliance-Proofed Data
- Be very careful while seeking information on minors
Children Online Data Protection
- Check whether children online data rules affect you
- If Yes, ensure:
- Applicable national rules are being adhered
- Parental consent mechanisms and verification processes are implemented
(for organizations offering information via society services directly to children)
- National legislation for processing for offline data processing is being adhered
- Notices are drafted in understanding of the child (for offerings directly to children)
- Carefully document the balance between organization goals and the interest of the child
(for organizations processing child data through “legitimate interests”)
5. Pre-approve B2B communication template(s) from legal firms specialized in GDPR
Transparency and user-friendliness are the two pillars of marketing communications under GDPR. While these are to thwart unfair practices, but certain guidelines have been set for messaging, media and designs by the new law. These are finer lines in the GDPR compliance procedure and require expert help.
- Optimize sign-up forms for Individual Business Domain Emails – not personal ones
There are two ways to communicate with businesses under GDPR – without consent (for role accounts; e.g.: info@, contact@ etc.), and with consent (for business email addresses of individuals). Sending marketing communications to Individual Business Domain Emails require soft opt-in (opt-out option in each communication) for old acquaintances, while new contacts have to be opted-in at the point of data capture.
Personal email IDs, on the other hand, enter the realm of private data and require intense consent seeking exercises.
- Log-in portals for accessing particular websites or services must have exclusive sub-domains to the service provider’s main site
To clear the ambiguity regarding ownership over exclusive digital services, GDPR demands the service provider to enable exclusive member logins under their respective website domains. While this establishes the service provider’s authenticity, but it also excludes the hassle of obtaining additional consent for other third-party sites.
- Qualify GDPR compliance for email marketing platforms used for B2B communications
GDPR makes communications between companies simpler. But your email marketing platforms should be optimised to deal with the different sets of recipients you send emails to. Segment the tasks for non-customers, customers, and business houses, as each set demands separate consent mechanisms and messaging formats under GDPR.
- Update your company’s Emergency Response Systems to GDPR’s data breach guidelines
Under Article 17 (Data Erasure), GDPR provides users the authority to “halt third parties from processing [their] data”. Additionally, they also will have the right to object on the usage of their personal data at any point they deem fit. Companies (processors and controllers) must facilitate this by setting up an easily accessible medium to register their complaints, grievances and objections in real-time.
Under one the following clauses, like when the data no longer is relevant to the original purpose, or due to subjects’ withdrawal of consent to storage, the data controller would be obliged to:
- Erase all information of the particular individual
- Cease further dissemination of the data
- Halt third parties from processing the data
- Apply a user-friendly automated medium for data subjects to express their objections
In cases of data breaches that can “result in a risk for the rights and freedoms of individuals”, awareness notifications to customers (subjects) and controllers will become a mandatory obligation for data processors. Notifications have to be issued “without undue delay” within 72 hours of becoming aware of the breach.
- Update your organizations’ data breach notification procedure. Include:
- Incident Identification Systems
- Incident Response Plans
- Develop systems to encrypt data in case of breach or unauthorized access
- Assess your insurance coverage in case of data breaches
- Data Protection clauses and tender documents should be updated by customers. Include:
- Suppliers’ utmost responsibility to notify breaches
- Emphasis on cooperation between the parties
6. Appoint a Data Protection Officer (DPO) from within the organisation who has thorough understanding of the company’s inner workings.
Instead of going back and forth on obtaining permits from local Data Protection Authorities (DPAs), GDPR keeps the onus of record keeping within the controllers and processors. Such organisations, with core operations relating to “regular and systematic monitoring of data subjects on a large scale”, will have to appoint Data Protection Officers (DPOs) to fulfil their data protection duties.
DPOs will not be liable to obtain approvals from DPA of data processing activities under the Model Contract Clauses (MCCs).
Was this blog useful? Let us know in the comments below. For your very own GDPR compliance consultation, contact our data experts.
Find more great insights on marketing and business data on our e-newsletter. Subscribe below!