Are you prepared to demonstrate compliance with the General Data Protection Regulation (GDPR) by May 25, 2018?
If your organization stores or processes data about European Union (EU) citizens, you’ll need to prove compliance or face steep fines up to €20 million. That’s about $24.81 million in USD.
Well, you’re definitely not alone.
A recent survey by PricewaterhouseCooper revealed just 6% of US-based companies affected by the GDPR consider themselves compliance-ready. 92%, however, consider reaching full compliance a top priority.
Are you required to comply with the GDPR?
Most definitely, if your business has a presence in one of the 28 member states of the EU. Even if you don’t have an EU presence, you still need to start gearing up if you meet the following criteria:
- You process or store “personal data” on EU residents; and
- You have 250 or more employees; or
- You have less than 250 employees but process data non-occasionally or process sensitive data
An Ovum survey found that 85% of US companies believe they’ll be required to comply. There’s a good chance you’re among them, especially given the GDPR’s broad inclusion of many marketing activities as “processing” and “personal data,” according to the official Definitions (Art. 4).
Achieving GDPR Compliance: A Checklist
Meeting strict new compliance requirements requires many organizations to adopt new strategies, processes and, in some cases, technology. Since B2B marketers play an increasingly major role in collecting data and processing insights, the clock is ticking on making required changes ahead of the GDPR deadline.
First, a disclaimer. This article does not constitute legal advice on GDPR compliance. It doesn’t contain in-depth insight into all technical and operational changes that may be needed in an enterprise. Risk-related decisions should be made with the help of your company’s in-house or third-party legal counsel.
Instead, the steps below are designed to serve as a high-level overview of GDPR compliance for B2B marketers. The steps on this checklist address some of the many factors you should consider ahead of the May deadline, with a focus on the marketing organization’s processes and technologies.
1: Support a Data Audit
Article 30 discusses the importance of maintaining an updated “Record of Processing Activities,” or detailed documentation of the types of personal data stored, sources of this data, and how it’s shared, processed and exported.
Before organizations can assess their collection and storage processes, they’ll need a baseline. An important first step toward compliance for many organizations is conducting an audit of existing data assets, sources and processes.
While it’s unlikely that marketers will be tasked with spearheading a data audit, they’ll need to collaborate closely with information technology (IT) or compliance. Be prepared to provide access to existing privacy policies, consent processes, vendor contracts and technologies – such as your content management system (CMS), marketing automation platform (MAP) and customer relationship management (CRM) solutions.
2: Create a Project Plan
Compliance with strict new GDPR requirements is an enterprise-wide effort. Before marketing organizations can contribute to the change, they need insight into how their processes, notices, systems and software have to change to be compliant. While a project plan is not specifically addressed in the GDPR, it’s likely a best practice.
Creating a project scope document for B2B marketing offers the accountability of deadlines, while also creating a single source of truth that can be shared with the board, IT and, if applicable, your newly appointed data protection officer. In some cases, marketers may need to win the support of the CMO or executive leadership before a project plan can be created.
The GDPR is nothing to take lightly, and the clock is ticking. However, without the guidance of compliance experts and budget for change, B2B marketers may find themselves stuck.
3: Understand Access Requests
The GDPR strives to provide EU individuals, or data subjects, with more control over how their personal data is collected, used and stored. This includes Article 15’s “Subject Access Requests” and other rights detailed in Articles 16-23.
EU residents must be able to exercise rights to:
- Request personal data
- Receive data requests in a common electronic format
- Demonstrate the “right to be forgotten”
Companies can only refuse when a subject’s requests are “manifestly unfounded or excessive.”
B2B marketers need to understand their role in responding quickly to data requests, and where their team and technology fit into the official process of providing access or, when applicable, deleting records.
4: Contribute to a “Record of Processing”
Article 30 of the GDPR requires organizations to:
- Maintain a detailed record of processing (ROP)
- Document purposes of processes
- Describe data categories
- Document security measures
- Create a comprehensive data flow map
- Create a corporate policy for updating the ROP
Creating and maintaining the ROP is likely to be a collaborative effort. B2B marketers should be prepared to collaborate with their colleagues and vendors on creating the first ROP, and develop an understanding of their role in future ROP updates.
5: Update Privacy Notices
Articles 12-14 spell out new standards for customer privacy notices, which must be provided at the time when data is obtained – like when someone visits your website. There are over a dozen requirements for these privacy notices, which include the use of clear language when acquiring subject consent to process their data (i.e., clearly conveyed opt-in selections).
Privacy notice requirements could have a huge impact on B2B marketers, who may play an integral role in updating the language of their websites, landing pages and lead forms to meet GDPR requirements. Marketers need to collaborate with compliance to create standards and language for these updates, including making sure your processes for collecting sensitive and non-sensitive personal data fit into the six “lawful basis” requirements of Articles 5-7 and 9-10. The vast majority of time, marketers will rely on the lawful basis of “consent.”
Finally, per Article 28, determine whether you qualify as a “data processor,” and whether this designation has a further impact on your notices and other requirements.
6: Review Consent Collection Processes
If your organization obtains consent to collect data, address the consent language and processes on your website, landing pages, forms, third-party sources and any other marketing properties used to generate prospect data to ensure they meet the new standards spelled out in Articles 5-7 and 9-10.
Marketers need to meet standards for “positive opt-in” and “easy withdrawal of consent.”
According to Articles 85-91, you may also need to significantly rethink the ways you obtain consent for both children under 16 and individuals 16-18 to meet requirements for language, processes, and if applicable, parental consent.
7: Adopt “Design and Default” Requirements
Articles 25, and 35-36 discuss “data privacy by design and default.”
If that sounds like a wide-reaching, abstract concept, it’s because it is.
These new requirements are designed to make entire organizations, including B2B marketing teams, embed data privacy into all of their decision-making.
Marketers will need to consider GDPR data protection requirements when they adopt new marketing software, using an official “Design and Default” policy as their guidelines. Chances are, your new software acquisitions and marketing channels need to be evaluated against an official “privacy impact assessment protocol,” too.
8: Educate Yourself on New Breach Requirements
There are new requirements for how organizations respond to data breaches spelled out in Articles 32-34. Companies must meet timeline requirements, stop data loss and, in many cases, report the incident to regulatory bodies and their customers or employees.
If these standards aren’t met, you may face very steep fines and penalties
IT departments and compliance experts must collaborate on new, official policies for complaint breach response. While marketers will most likely play a pretty minimal role in all of this, they need to understand where they fit – including the timely publication of notices to the company website and the right internal channels for reporting incidents or suspected issues.
9: Review Your Data Export Processes
Articles 44-50 address one of the more complex aspects of GDPR compliance, which is new standards for cross-border data processing activity. This is likely to have an impact on you if your organization has operations in more than one country in the EU.
While the probable impact of these requirements on marketers is minimal, you may need to adapt your processes for sharing data across borders if directed accordingly.
10: Update Vendor Contracts
Third-party vendors aren’t just your demand generation agency, although they qualify as a contractor under Articles 44-50 of the GDPR. If your MarTech software stores data, this constitutes a vendor and could be subject to cross-border requirements.
Marketers need to understand first which software they’re using. This includes the “shadow IT,” or unauthorized tools that are semi-secretly used by select members of your marketing team. Once you have a list of your vendors in place, you’ll need to work closely with your compliance team to ensure that your vendors comply with GDPR requirements, and to update your agreements accordingly.
Identify all contractor relationships that require agreement revision and update for compliance. Verify third-party contractors can comply with GDPR privacy by design requirements.
GDPR Compliance: Default Data Protection
Is the GDPR the strictest legislation to-date regarding data privacy?
It almost definitely is. However, the GDPR is a part of a growing, global trend of data privacy across the globe. It’s important to see the required changes to your marketing processes as a part of a larger evolution of permission-based marketing.
Originally published at customerthink.com
— Published in DATA COMPLIANCE on March 11, 2018