GDPR, or General Data Protection Regulation, is a new collection of rules adopted by the European Union from May 25, 2018, to protect individuals’ privacy online.

While it most clearly impacts social media platforms themselves, the new regulations have implications for any business that sells online in the EU and EEA. Perhaps most importantly, this important approach to online privacy treats all entities as individual people.

That means a business account has the same privacy and data protection rights as an actual person. So, whether you’re a B2C or a B2B company, big small or in-between, the GDPR will likely affect your business in some way or another.

To start with, the primary focus of this regulation is data gathering, which has become big business in recent years. As technology increases our ability to collect, store, and use consumer data, it’s become more common to gather as much data as possible and use the insights from that to target marketing, tailor content, and analyse trends. In fact, The Economist recently called this sort of data “the world’s most valuable resource.”

With all this data being used, some consumers have become concerned about their privacy and how this data is used, which brings us to the GDPR and its focus on three rules for data gathering. These are data access, data permission, and data focus.

In short, data gathering should be focused rather than broad, should require the user’s permission in some form, and should be accessible only to qualified professionals using it for legitimate business functions. It’s a lot to keep in mind, but with the following ten tips, you should be well positioned to maintain your current strategies while being compliant with GDPR rules.

Know What Data is Covered:

Personal data specifically is what’s being protected here and while that includes many types of data, it’s not everything. Key types of personal data include: name, email address, phone numbers, bank account information, credit cards, addresses, and biometric data. Basically, anything that can be tied to a particular person.

Make it Easy to Opt Out:

The more opportunity you give individuals to manage their level of data permissions the better. So opt-out links on marketing emails are a must. Similarly, some companies have moved to two-step opt-in processes (an online form followed by a confirmation email for example) to make sure users want their data used.

Keep Track of What You Have:

One of the biggest issues you might face is being asked to remove a person’s data from your storage and not being able to find all the relevant information. Storing the data you use in a highly-organised way can help you avoid this risk.

Consumer Access:

Under GDPR, consumers have a stronger right to request information about how their data is used. Having a plan in place for how to process such requests means you won’t be caught off guard when someone asks how long you’ll keep their email or from which channels you have information on them.

Get advice from a Data Protection Officer (DPO):

While only public entities and companies that carry out large-scale systematic monitoring are required by GDPR to have a DPO. It’s a good idea for any business that uses consumer data to get appropriate advice from a DPO which can help you be sure you remain GDPR compliant. 

Invest in a CRM:

An integrated platform for consumer relationship management can help you keep better track of data, automate compliance processes, and document your data processes more clearly.

Privacy Impact Assessments:

Being proactive about privacy by conducting a privacy impact assessment can help you understand where you might be at risk. GDPR only requires it in “high-risk” situations where a lot of very personal data is used, but it can be a useful step for any company towards understanding how you interact with data privacy.

Keep Relevance in Mind:

A simple way to avoid making data protection a complicated and time-consuming task is to focus on only gathering the data you truly need to do business. Extra data just adds additional risk and more opportunities for mistakes. 

Audit Previously Acquired Data:

Take the time before these rules are implemented to audit the data you already have. How was it acquired? How is it being stored? Making sure you have a trail of consent for legacy data you continue to use can save you a lot of headaches down the road.

Be Ready for Data Breaches:

GDPR requires all companies to report security breaches that give intruders access to personal data. Having plans for detecting, addressing, and reporting such breaches will make it easier to deal with if something like this ever happens to your database.

There’s a lot to consider with this upcoming rule, and these are far from the only things you’ll need to address. Starting with these basics, however, will put you in a good place to understand your data gathering- and use-processes and how you might need to adjust them.

The most important thing is to be clear and precise with data gathering and storing practices, so the more you investigate and plan now, the easier it will be to stay compliant in the future.

Useful official resources on GDPR –

(Ireland) – www.GDPRandYou.ie

(EU) – www.eugdpr.org/

(UK Guide to the General Data Protection Regulation) – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

 

Views are my own!