Today we are continuing our series about the GDPR and we're looking at what you should be doing to prepare.

• Carry out an information audit.
• Raise Awareness within your organisation
• Review your privacy policy and statements
• Compliance with GDPR may require changes to your CRM systems
• Staff Training - This requires a two-step approach. First, a basic GDPR overview and impact illustration for all employees, included as part of everyone’s KPIs.
• In certain circumstances, organisations will need to appoint a DPO (Data Protection Officer)
• Adopt a business-wide GDPR compliant data policy.

Growing your contact lists (such as email subscribers) represents an important part of modern marketing, but GDPR affects the ways in which businesses can collect and store personal information. Consent to receiving marketing materials or sales phone calls – or in fact to any use of personal data – needs to be offered by everyone willingly and freely. When you ask people to share their details with you, you need to make it absolutely crystal clear what you plan to do with that data. Everything you do with people’s data requires their explicit consent under the new law.

GDPR rules also specify that you can’t opt people in to any use of their data without their consent or knowledge – marketing materials included. For example, if someone has recently purchased from you, you can’t just assume they want to hear from you and add their email address to your mailing list without asking them.

When you state what you intend to do with people’s data, it needs to be explained clearly and never buried in confusing language. You also need to keep an auditable trail of consent, so you can prove that active, knowing permission has been given by everyone, that they’ve agreed to specific activities, and that you are only carrying out activities that permission has been granted for. Otherwise, you may be vulnerable to someone claiming you’ve breached GDPR rules.

Procedure to obtain consent.

If you’re currently using people’s data in a way that you haven’t obtained explicit consent for, stop immediately. Take stock of what you do with personal data, and seek informed and willing permission from those people before GDPR comes into force. If people decline or don’t respond, cease all non-consensual activity involving that data unless they choose to opt in.

What you need to put in place:

Ensure that any opportunity you provide for people to share contact details with you offers crystal clear information about with what your intentions are with that data.

Never use pre-ticked boxes, soft opt-ins, or implied consent to grow your list. People need to provide active consent in order for their data to be used.

Seek proper, informed permission from your existing marketing lists to continue direct marketing activities.

Make sure that everyone on your marketing lists has an auditable trail of consent, proving they’ve given permission to your use of their data.

Rights to retract consent

As well as a right to give informed consent, citizens also have a right to retract that consent at any point. They also have a right to object to certain uses of their data that they disagree with, which might involve receiving marketing materials but can stretch to other activities such as when companies share people’s details with a third party. In the case of retracted consent or an objection to data use, the person’s wishes need to be acted on immediately.

Also part of the GDPR legislation is the ‘right to erasure ‘which means that you should be able to delete all of an individual’s personally identifiable data should they request it, provided there’s no “compelling reason” for you to continue storing/processing that data.

How to Comply

Previously granted consent needs to be easily retractable by the individual, and any objections to specific data uses need to be acted upon immediately; your computerised systems will need to accommodate this.

Your current data handling practices may need to change to allow for objections and deletion requests.

Ensure that you can delete identifiable data about a person completely and auditable.

Make sure that you can ringfence the data belonging to those who object to certain activities, so it can’t be used for that purpose, even in error.

Staying Informed

Individuals will now have the right to ask about and remain informed of how companies use and process their data, and ensure that data held about them is accurate. If someone finds out that a company holds incorrect data on them, they have a right to contact the company and have them make any necessary corrections immediately.

EU citizens will also have a ‘right to access’, which means that they have a right to request a digital copy of any data held about them; companies will have to provide this within a month of receiving the request. People that you hold identifiable information about will now have the right to ask about what information you hold about them,

• why you hold it,
• how long you’ve had it,
• how long you intend to hold it,
• what you intend to do with it.

So how do you answer the above questions:

Your systems need to be able to make correcting data easy and auditable

You may need to amend your data storage systems so you can easily export a digital copy of an individual person’s data quickly and easily should they exercise their right to access.

Your systems also need to record when each person opted in, what activities they agreed to in doing so, and what you intend to do with their data.

Don’t Forget - GDPR also provides crucial legislation surrounding data breach handling, protections for children, and appointing in-house data protection officers.

Also bear in mind that GDPR doesn’t just refer to data about consumers and prospects – it refers to all individuals. That includes the data that a company holds about its employees.

Make sure your whole team is informed of their new responsibilities to those you hold data about, that they’re trained thoroughly on all aspects of GDPR, and are dedicated to keeping your company compliant.