My GDPR journey
When I first began my professional GDPR journey in 2014, I was working as an in-house B2B marketer. At that time, I began researching the draft legislation and was trying to figure out how it might later impact my everyday work in the marketing department. Of course, I was also doing it so I could advise the senior management team on what the expected changing legal responsibilities would be. Furthermore, it occurred to me that a data breach and any negative attention from it could undo months and years of hard work I’d put in to build the company’s brand and reputation. It was then that I suddenly felt a greater weight of responsibility and duty of care for the personal data I was tasked with handling.
Since 2014, my interest and passion for data protection and privacy has only grown. In the early days, I found it really difficult to find good information about GDPR. However, as we approach the implementation date (25th May 2018) there is certainly a lot more being published. Though much of it is geared toward a general business audience and not always answering the detailed questions that marketers may have.
The ICO’s Marketing Page is a treasure
If you haven’t visited the website yet, the Information Commissioner’s Office has a wealth of fantastic resources available on the ICO’s Marketing Page. In addition to a Guide to the GDPR and a series of blogs busting GDPR Myths, there is information on the very important PECR (soon to be E-Privacy Directive) legislation that also affects business-to-business marketing.
The language of GDPR is deliberately vague
As a non-solicitor, one thing I’ve learned the hard way about GDPR is that the legislation is written so that it isn’t very prescriptive. The language is meant to be quite flexible and open to interpretation so that it will stand the test of time and remain relevant as new technologies inevitably emerge.
ICO Helpline if you have questions
This ambiguity naturally provokes a certain amount of anxiety for us poor souls who endeavour to stay on the right side of the law whilst marketing as GDPR comes in. If you don’t have access to legal counsel or a specialist compliance partner, such as Anson Evaluate, the ICO’s self-help resources are brilliant. I would definitely encourage marketers to spend time digging around and reading what’s on the ICO site before you start performing wider searches on the web. Simply because there’s a lot of misleading information regarding GDPR being circulated right now.
If you are unsure about anything, the ICO is operating an SME Helpline. “As well as advice on preparing for the General Data Protection Regulation, callers can also ask questions about current data protection rules and other legislation regulated by the ICO including electronic marketing”.
Responsibility for GDPR is not all on marketing’s shoulders
What I’ve been coming to appreciate in recent times is how the responsibility for GDPR compliance isn’t so heavily concentrated in the marketing department as I first imagined it was.
I used to feel an exaggerated sense of ownership of the data that was coming in via the different marketing channels because I was seeing it first. My campaigns were generating the leads. Other departments were using the CRM system but I was generating the mailshots and monthly reports.
The Information Commissioner herself, Elizabeth Denham, explains in this video that GDPR is a board level concern. “Good data protection,” she says, “is the cornerstone of your business policy and practices”. That’s a message we all need to take on board and it’s one that businesses will now have to demonstrate as part of GDPR compliance.
The following are some broad areas for consideration when mapping and assessing the sensitivity and level of risk associated with the data your company holds. I am making the point again that this is a company-wide concern. Clearly, there’s some overlap with IT or other departments here.
1. Collecting data
2. Storing data
3. Protecting data
4. Processing data
5. Serving the data owner
In a modern business context, some of the pieces of this puzzle are outsourced. If they are, the company must ensure that any third-party suppliers used are themselves GDPR compliant. This will involve having formal agreements in place which outline the rights and responsibilities for both parties. One of the notable changes in GDPR from the 1998 Data Protection Act has been the introduction of greater regulation and penalties for Data Processors. Examples of outsourced data processor services include accounting services, marketing agencies and confidential waste disposal. This isn’t all on you, my friend and fellow marketer.
DigitalLawUK and Anson Evaluate can assist you with a GDPR & Cyber Security Assessment report, which includes a comprehensive traffic-light system against 51 elements of a business that can provide vulnerabilities to your digital assets. In this report, you get a comprehensive description of the risks for each of those assets, and the steps needed to resolve them. It’s effectively a roadmap which signposts the fastest way to GDPR compliance.
Can’t achieve compliance by the 25th of May? Don’t despair.
We are all aware that the 25th of May is fast approaching. In a perfect world, every organisation would be compliant by that date but we don’t live in a perfect world. What I’ve been learning along the way about how the ICO thinks, according to solicitors and senior privacy professionals, is if the worst should happen it is really important to show your work. Thoroughly document your procedures. Show that privacy and data protection wasn’t being ignored. Mistakes do happen with the best will in the world. A comprehensive report such as the colour coded one mentioned above that prioritises which areas to tackle first would be a great way to demonstrate compliance.
Risks in the real world
You’re missing a trick if you think that data protection is only a digital concern. Recommended by the ICO, ‘Responsible for Information – for SMEs‘ is a “free e-learning course developed by HM Government and aimed at staff in micro, small and medium-sized enterprises. It helps employees and business owners to understand information security and associated risks, and it provides good practice examples and an introduction to protection against fraud and cyber-crime.” This presentation goes through real world scenarios that employees will encounter on a daily basis which puts personal data at risk of misuse. It’s really enlightening. It also goes a long way toward helping any anxious marketers understand that GDPR is not just their job inside the company. You can see that every department is handling data and it does not always live inside your computer. One example they give is a healthcare salesperson discussing commercially sensitive information and private medical data which is overheard by a competitor in a public setting.
GDPR Gems: Posters and Internal Comms
It’s everybody’s job to be trained, be aware and prevent breaches. The ICO has some nice posters, stickers and postcards for download on their website that are designed to promote good data protection practice within companies. Don’t be lulled into a false sense of security because your department is on the ball. If you are the internal GDPR champion, it’s in your best interests to ensure everyone is on side.
If you have any marketing related GDPR questions, feel free to leave a comment below. And if you’ve enjoyed this blog and found it useful, remember that sharing is caring!