The end of May saw a milestone in data privacy pass by with little to no fanfare. A few in the tech industry, along with a scattering of business and journalist folk, took note of the date, but for many, it was simply another day. I am, of course, talking about the one year deadline to get ready for the General Data Protection Regulation (GDPR). With less than 12 months to get up to scratch, there’s still a worrying number of businesses that barely know about the regulation.
Some may still wonder why they should bother. For them, a hefty wake up call awaits on 25th May 2018. Companies who do not comply with GDPR on this date could be fined up to €20 million or 4 percent of their global revenue. Some may believe that Brexit means we don’t need to comply with the EU Regulation, but this simply isn’t true. In fact, GDPR has already been ratified into UK law and the Queen’s Speech explicitly stated that it’s not going to be repealed.
12 months to go
Nearly every company is going to be affected by GDPR. Simply put, if you use data, store data and specifically use your customers’ information to deliver marketing messages to them, you’re going to have to pay attention to GDPR. It basically makes decent data management and governance a legal requirement. If you run any kind of business that uses EU citizens’ data, you need to start getting a plan into place – and time is not on your side.
Many companies have begun offering pre-packaged software solutions to help companies become GDPR complaint. Unfortunately, to truly meet the standards, there’s no one-size-fits-all solution.
The first step towards getting GDPR ready is, naturally, to let key stakeholders know about the Regulation and its consequences. The hefty fine should be enough to get the attention of senior management. If not that, then the associated loss of consumer trust and potential damage to brand reputation from a GDPR infringement should spur them into action.
Once key stakeholders understand what is happening, the next people who should know are your customers. You’re better letting them know sooner rather than later, as you’ll have to get their consent for different uses of their data, and it will take time to obtain this. Indeed, it’s worth designing an entire marketing campaign around making your customers aware of GDPR and gaining their consent. Don’t underestimate how many times you may need to contact your customers to get the point across.
Initially, it’s a good idea to give customers some general information about GDPR and what it means for them. The key here is to make sure you personalize the message so it’s not just boring jargon about data legislation – you need to emphasize what this means for your customers’ everyday lives.
When you’re sure your customers are aware of GDPR, the next step is to get their consent for each and every use of their data. You’ll need to explain exactly how you’re going to use their data, the algorithms and analysis you’re going to run on it and how it is going to be stored. It’s of utmost importance that all of this is explained in layman’s terms. In the case of minors, you’ll have to find a way to explain all this to children, and their parents or guardians.
Don’t make the mistake of believing that once you’ve got customer consent, you can just rest on your laurels and use their data for years to come. Under GDPR, consent is going to have to be reviewed and given regularly. It’s worth setting up a central hub, a consent center, for people to manage their preferences. Likewise, you should consider sending regular emails or other communication to ask people to refresh their consent every six months or so.
The next step in this journey is data management. GDPR makes decent data infrastructure a legal requirement, so if your data is bundled in several different places and isn’t easily accessible or transferred, you’re in pretty big trouble. The good news is, that proper data management infrastructure and systems can pay off in the long run, giving you greater flexibility in running advanced data analysis and data science. That, in turn, can uncover profound insights that can inform every part for your business, from your marketing to your business processes and supply chain.
The above is merely a quick overview of the many different steps businesses will have to take to become GDPR complaint. Each and every business is different, so every business will need a unique approach to get ready before the deadline. They say that slow and steady wins the race, but in the case of GDPR, with May 2018 fast approaching, if you haven’t started getting ready yet, I suggest you begin to sprint.
Guy Marston is managing director at data science and marketing services company Profusion.