The General Data Protection Regulation (GDPR). It’s the EU’s – UK’s new landmark privacy law will take effect on May 25, 2018. That’s around the corner. Have you started yet? If not, get quickly up to speed with this GDPR Compliance Process – Checklist for companies.
GDPR Compliance Process in 5 “easy” Steps: What Companies Need to Do
This GDPR Compliance Process and step-by-step Checklist is intended for our clients who are Salesforce and Marketing Cloud users to help them sort their compliance challenges, and quickly forge a path towards compliance, in 5 “easy” (or, not so easy) steps:
Let’s work through the checklist. For each major step, there are a couple of activities. As follows:
STEP 1. Get All Informed.
- You: Learn about GDPR requirements for your particular business. If you are in an industry with sensitive personal data, your data management requirements will be stricter. (see this article: GDPR: What you need to know today.)
- Management:Raise its awareness of the importance of GDPR compliance. This seem like extra nuisance paperwork to some business leaders who hope it will go away if they don’t look into it. Not so. Forge action.
STEP 2. Get to Build the Team.
- Approval: Get management approval for needed budget & staff (your time, time of critical other employees who ought to be your team mates).
- Lead: Appoint a GDPR “captain”.
- Board: Build a steering committee with key functional managers. Get everyone on board and talking about it.
- Champions: Pinpoint data protection champions throughout your company.
STEP 3. Assess Your Business.
- SWOT: Assess the strengths and weaknesses of current privacy and security efforts. Is there anything in place yet? Look for “trouble spots”, areas of data management that must be cleaned up.
- Create Data Inventory, embracing all data, in all systems. That is: everyone’s laptop, all databases, everywhere where the company stores personal data. For each data set, mark:
- Specific purpose of holding the data.
- When was individual consent obtained and for what specific usage.
- Reasonable timeframe of holding the data, relating to that time frame. E.g.
if people consented to get information regarding a particular seminar, and that seminar is passed, you probably don’t need to keep their personal data.
- Create a Process Register: list all data processing activities. Depending what your company does with customer data, this can be quite a job.
- Conduct a Privacy Impact Assessment: for high-risk activities.
- Resolve issues and document current compliance..
STEP 4. Establish Controls & Processes.
Next, you need to setup a system that will ensure continued compliance over time.
- Notices: Place privacy notices where/where your company collects personal data.
- Controls: Set data-usage-controls to limit data usage to the purposes for which it was collected.
- Consent Mechanisms: Establish mechanisms to manage data subject consent preferences.
- Detection Measures: Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches.
- Response Procedures: Establish procedures to respond to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten).
- Contracts: Enter into contracts with affiliates and vendors that collect or receive personal data. Salesforce & Marketing Cloud Customers, need this contract addendum: Salesforce Data Processing Addendum, plus this Salesforce Trust and Compliance Documentation for each Service. You will need this for each of your key data -related vendor.
- Process: Establish a Privacy Impact Assessments’ Process. (Read the ICO’s Privacy by Design overview
- Training: Conduct Employee & Vendor ‘privacy and security awareness’-Training.
STEP 5. Document Compliance & Upkeep.
- Compile: copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intra-company data transfer agreements, and vendor contracts.
- Appoint, if required, a Data Protection Officer, and identify the appropriate EU supervisory authority. (See Salesforce’s GDPR Facts vs. Fiction to see if you need an officer).
Not everyone does.
- Conduct: periodic risk assessments.
The GDPR Compliance Process – In conclusion
How much work this is varies by business. Best to start a.s.a.p.
I personally see all these legal requirements as a great opportunity for companies to become more customer-centric, and as such, become better marketer/more successful sellers. If you truly have your customers’ interest at heart, and you look at the world from their point of view, ‘blasting emails’ becomes repugnant. You’ll adopt an attitude of ‘helping them to achieve their goals’ instead.
I believe this attitude is the right angle to grow your business in much better way. The competitive game in 2018 is all about winning on customer experience. Use this legal compliance exercise to forge a shift towards helping customers in your organisation.
Only lawyers can give you legal advice. We are not lawyers and our articles do not constitute legal advice. Therefore, we cannot take any responsibility for your compliance.
More GDPR & Related Resources
We just held a London Salesforce MARKETING CLOUD user group meeting on GDPR. Our presenter, Stephan Chandler-Garcia, is a well-known GDPR expert.
Stephan pointed out several additional complications for UK firms in particular:
1) GDPR is a European initiative. The UK will first be part of that, for a while. After that, upon Brexit, this legislation will be replaced by a UK regulation, which may be more stringent. This UK legislation is still being developed.
Do see our video below to learn more about these nuances and a wealth of further information on how you can gain legal compliance in this complex, broad and potentially costly data regulatory world.