Is your business ready for the GDPR? On May 25, 2018 a sweeping change in global consumer privacy, one that will fundamentally change the way companies around the world perform outbound marketing, will become law. This is the date that enforcement commences for the European Union’s new General Data Protection Regulation (GDPR), governing the use of personal data for over 500 million EU residents. US companies who market to customers or prospects in Europe will now face strict regulations surrounding the use and storage of consumer data, backed by potentially hefty revenue-based fines.
However, recent studies have shown that many businesses are woefully unprepared for GDPR, which will require changes ranging from point-of-entry data validation to the management of changing contact information. So, what is a good way to get started on the road to compliance? Start with these three building blocks.
For most organizations, GDPR compliance pivots around three fundamental building blocks: consent management, data protection, and data quality.
The first two of these building blocks will revolve around process change for most organizations. In the first case, consent management means that you will now need to prove that you have permission to use someone’s personal data for marketing purposes, and maintain records of this permission.
There are no exceptions to this rule for previously captured data, which means that consent may need to be re-acquired under mechanisms acceptable under GDPR. This also extends to providing easy and accessible ways for consumers to reverse this permission, extending all the way to Europe’s concept of “the right to be forgotten”—requiring you to erase all traces of a person’s contact information if requested by a consumer.
The second building block, data protection, involves deploying processes—and possibly specific people—designed to protect consumers’ personal data from unauthorized disclosure.
At a process level, this means that organizations will need to show that they have safeguards in place against personal data being stolen or misused. One popular approach for this involves pseudonomization, where key personal information is kept separate and secure until actual use. Unlike anonymization, where ownership of data cannot be reconstructed, pseudonomiization allows certain identifying characteristics to be used as a “password” to combine other separately-stored components of information at the time of use.
If your organization is large enough, GDPR may also require the formal role of a Data Protection Officer (DPO), with dedicated responsibilities within an organization for protecting personal data. The specific criteria for needing a DPO is “large-scale systematic monitoring of individuals,” along with more specific situations such as public authorities and organizations handling large scale data processing of criminal convictions. With or without a formal DPO, companies will be expected to have a documented game plan for protecting consumer information.
Finally, data quality serves as the third building block. Once upon a time incorrect, fraudulent or changing contact records were seen as an annoyance, or perhaps an unavoidable expense—and if people received unsolicited marketing materials or contacts as a result, it was their problem to endure or resolve. Today, in the era of GDPR, data quality issues can lead to compliance problems with serious financial consequences. This means that data must be verified and corrected, both at the point of entry and time of use.
Of all three of these building blocks, data quality is the one area that is probably represents the largest ongoing responsibility for most organizations. Thankfully, it is also the one that is the most amenable to automation.
Interested in finding out more about the role contact data plays in Global Data Protection Regulation (GDPR)? Visit our GDPR Solutions page, which contains a variety of resources that explain the key principles of GDPR compliance for contact data, and how automated data quality tools can protect your marketing efforts in the European marketplace.