In advance of the introduction of the General Data Protection Regulation (GDPR), bringing stricter EU data protection rules, now’s the perfect time to familiarise yourself with how to ensure that your business stays within the regulations.
The below is a brief outline, but you’ll find more detailed information along with examples of good – and not so good – practice in this step-by-step guide.
Step 1: Examine the data that you hold
Your first port of call should be to have a thorough investigation of the data that you hold on your customers or the people within your email database, examining why you need that information, how you use it, how long you’ve held their data and when/how they signed up. Under the new rules you should only hold data for a ‘reasonable’ length of time – which very much depends on why you need the data. For example, if it’s data gathered from a one-off sale then that’s very different from holding the details of a customer with whom you have an on-going relationship. Establishing why you need that information and how you use it for each group, will help you determine what the reasonable length of time will be.
When you identify the personal data you no longer need, it’s time to delete those records. As well as helping you to stay on the right side of the regulations, this will also create a higher quality database populated by more recent, and hopefully more active, customers.
It may be that you want to use older customer data for analytics and this is fine – as long as you make the data anonymous. This should be a relatively simple process which will retain the information you do need and erase what you don’t, aggregating this data into one anonymous pot where the individuals can’t be recognised, but still allowing you to use it for information purposes.
Step 2: Perfect your privacy statements
When you make a privacy statement it’s essential that, among other things, you cover 3 key areas;; who you are, how you’re planning to use a customer’s data and who else you might share it with (if relevant) . It’s a complex area, or at least the last two elements are, so guidance has suggested that a good way to do this is through a layered approach. This means starting with a simple privacy statement but also having more comprehensive information for anyone who wants a more detailed explanation. Obviously, not everyone will want this but it’s important to have it available for those that do.
It’s also vital to remember that you must give people the opportunity to actively acknowledge your privacy policy. If you use pre-filled boxes or assume that a customer’s silence amounts to consent then you’ll be in contravention of the rules.
Step 3: Collect evidence of consent
Unfortunately it’s not going to be enough to simply state that you’ve received consent from customers to hold or use their data. There may be situations when you’re required to prove it too – and you need to be able to do this clearly, quickly and easily. This is potentially tricky in the case of people whose consent has been implicitly assumed in the past, for example by not un-checking pre-filled boxes. You should re-opt-in these people – one of the easiest and most cost-effective ways of doing this will be to send out emails to this group explaining why you are contacting them and giving them two options, either to give or deny consent to the use of their data.
Alternatively, if customers have registered their preferences with you in the past, the email could direct them to amending their details as required. This means that if they change their preferences regarding data use, you’re staying up to date with what you can and can’t do, and you have recent customer data to use within your marketing campaigns.
Above all, you should note that the older data is the more important it will be to be able to prove that you still have consent to hold and use it. So having a robust and effective strategy to achieve this is more important than ever before.
What’s next?
It may all seem like there are too many hoops to jump through, but there are also real benefits to ensuring you abide by these data & compliance rules set out in the GDPR. The points outlined have always been best practice, and following them will create a better, more trusting relationship with your customers – and trust is one of the most valuable commodities for any business or organisation.
We’ve written this post just to get you thinking about what you need to do in advance of the GDPR coming into effect. The final text could be approved as soon as this month, then the 2 year countdown will start. For more information around the next steps you should consider, follow Communicator’s series of 6 EU Data Regulation Guides, all available here.
[su_box title=”About Ashleigh Wood” style=”noise” box_color=”#336588″][short_info id=”66247″ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.