Scroll buttonchevron-iconcultureopinionSearchwork

Is your organisation ready for GDPR?

March 14 2017
25 May 2018. If that date doesn’t instantly resonate, you might be among the 97 percent of organisations without a clear EU GDPR plan already in place. Because that date – when EU General Data Protection Regulation comes into effect – should be seared into your consciousness, or at least clearly visible on a whiteboard somewhere within your office.
EU GDPR heralds a long-awaited reform of European data protection, but it’s by no means a ‘European problem’ only. It affects any global organisation that monitors or processes private data within the EU. And it affects the UK - Brexit or no Brexit.
To kick off our series on how EU GDPR will affect the marketing of your organisation (and how you can turn it to your advantage), let’s first run through its key features.
GDPR readiness at a glance
The aim of GDPR is to harmonise European data laws and give back control of personal data to private citizens.
Although there’s been a certain amount of panic about its potential impact, at its root GDPR merely extends many of the key principles of the 1998 Data Protection Act. Most of the regulations it imposes on organisations are already in place through the DPA. So this isn’t Datageddon. It does, however, introduce regulation in some significant new territory…
The accountability requirement
EU GDPR requires organisations not just to comply with data protection laws, but to proactively demonstrate proof of compliance. Personal data must be collected for a specific purpose, held no longer than is necessary, and obtained with clear, recorded consent. To quote Article 4.(11) consent must be “freely given, specific, informed and unambiguous.” Once obtained, personal data must be processed and stored securely.
Responsibility for the above no longer falls to the already beleaguered IT manager. Any organisation that harvests or stores private data as one of its core activities must appoint a Data Protection Officer (DPO), who reports to the C-suite level from a position of independence. The DPO must inform the data processor and data controller of their obligations, monitor compliance, conduct internal auditsand co-operate with the relevant DPA. 
Privacy matters
Remember those surreptitiously worded or cleverly concealed opt-outs that invited readers to check a box if they didn’t want to receive further marketing communication? They’re about to be as out ofdate as MySpace. Individuals must now give explicit consent for their personal data to be stored, a record must be kept of how this consent was given, and consent can be withdrawn at any time.
Whereas B2C marketers may be accustomed to obtaining opt-ins, the new requirement to get unambiguous consent represents a shake-up for many B2B marketers. Worryingly, the DMA reports that just 25% of B2B marketers see themselves as being significantly affected by the new GDPR rules.
Among the more proactive organisations, such as the RNLI, this led to a clear initiative well in advance to flush the databases and start afresh. Given that the average mailing list experiences roughly 20% churn over the course of a year, this is an encouraging example of an organisation using GDPR to implement a much-needed upgrade.
See how the RNLI started again here.
EU GDPR also introduces several new rights that go beyond the provisions of the DPA. In short, private citizens have a:
  • Right to be informed
  • Right of access
  • Right to rectification
  • Right of erasure (the ‘Right to be Forgotten’)
  • Right to restrict processing
  • Right to data portability
  • Right to object
In the heyday of the DPA, private citizens had to make a Subject Access request to see their personal data on file, pay a £10 fee, and wait a not insignificant period for a reply. Not anymore. Under GDPR, organisations must supply the required information within a month, in a variety of formats, and at no cost.
Data breaches come at a price
The other big whammy heralded by EU GDPR is the consequence of a data breach, or not having the required policy in place. Non-compliant businesses could be hit with fines of up to 4% of their annual worldwide revenue (up to 20 million Euros) for Personal Data Breaches (PDB) or Administrative Breaches. Whereas under DPA victims of a data breach needed to show they suffered financial lossor actual harm, under GDPR the burden of proof shifts to the organisation collecting data.
Just as importantly, organisations must report any data breaches within 72 hours to the SupervisoryAuthority or face dire consequences. And even if everything is on point, an organisation will stillneed to hold a Data Protection Compliance Review (DPCR) every two years to audit their datacollection processes thoroughly.
Make GDPR a solution, not a problem
Perhaps we’ve painted a bracing picture of regulation, fines, mandatory notifications and bureaucracy. But that would be to miss the benevolent intentions behind EU GDPR, as well as the positive benefits it can bring to your business. How?
For a start, because GDPR requires marketers to convert opt-out consent to explicit opt-in consent, email marketers in particular will find themselves with a more effective tool for reaching their audience. Why? Because opt-in data significantly out-performs opt-out where engagement rates are concerned.
Secondly, GDPR forces your organisation to conduct a thorough audit of what data you have, where it’s stored, and who is responsible. It forces you to finally tackle the elephant in the room – how much of your data is invisible ‘dark’ data with no tangible use or benefit. By 2020, we’ll be operating in a data environment of some 40 Zettabytes, growing at around 39% each year.
In that respect, 25 May 2018 can’t come soon enough…
To see how your organisation can prepare for EU GDPR. 

Screen Shot 2017-02-22 at 11.21.49 - Checklist.png