All UK businesses were required to be compliant with the EU General Data Protection Regulation (GDPR) from the implementation date on 25th May 2018. The GDPR introduces a number of new requirements which directly impact on direct marketing, including specific requirements surrounding your transparency with consumers, stricter rules for consent, data governance obligations and enhanced privacy rights that need to be upheld. This quick check-list is designed to help you track your compliance.
10 Point GDPR Check-List
1. Who are your GDPR colleagues?
Locate your internal GDPR stakeholders. Pro-actively identify colleagues working on the GDPR and collaborate with them.
2. Do you really KNOW your data?
Understand the personal data you have and why you process it. Analyse who, what, where, when and how personal data is/was collected and assess if you can keep using it compliantly under the GDPR.
3. Can you rely on Legitimate Interests?
The GDPR allows for direct marketing as a legitimate interest activity if certain conditions and a ‘balance of interests’ test is met.
Identify your marketing journeys, analyse whether a legitimate interest for direct marketing is available instead of consent, and if it is record how you met the protection of individual’s rights and reasonable expectations.
4. Is your data collection compliant and effective?
Ensure you tell individuals in easy to understand, plain language about your lawful bases for processing their data, give them choices and respect their rights.
Test your opt-in messages, including the new requirement to inform prior to the individual giving their consent. Ensure the right to easily revoke consent is offered. If relying on Legitimate Interests, inform them of their right to object.
5. Is your Privacy Notice GDPR-ready?
Post an updated privacy notice (policy) as soon as possible, so that data collected now can be used compliantly.
The GDPR requires more detailed privacy notices, including how long you retain personal data, details of any sharing of personal data with third parties, an explanation of any profiling activities undertaken, how individuals can exercise their rights, where to send complaints and if non-EU countries will process personal data.
[See the ICO’s Privacy Notice guidance]
6. Can your database evidence consent?
Your systems must be able to store proof of consent and revocation, including granular communication channels.
Ensure your (and any outsourced) systems can record consents and subsequent objections tied to specific purposes stated at time of collection associated with select communication channels (email, text, mobile phone, landline, social media, etc.)
7. Is data protection top of mind?
Apply the principles of privacy by design to keep data protection for individuals top of mind from the moment you create, develop, modify or buy products and services.
Privacy-by-Design/Default means conducting data protection impact assessments, even consulting the ICO if residual high risks to individuals are likely (e.g. profiling operations, or processing large quantity of sensitive personal data).
8. Does your data travel abroad?
If personal data is processed outside the EU/EEA, make sure that the entity in the destination country has adequate mechanisms in place to protect EU residents.
Review your inter-company agreements and data processor contracts for cross-border data transfer mechanism that meet GDPR (binding corporate rules, US-EU Privacy Shield, EU model contract clauses, etc.]
9. Are your staff ‘privacy aware’?
Train your staff about the importance of data privacy and to promptly report any policy inconsistencies.
Everyone has a role to play in safeguarding and respecting the personal data of their colleagues, clients, and business contacts so deploy training to new hires and regularly to all members of staff.
10. Are you tracking data privacy news?
Monitor your compliance program and keep abreast of new privacy laws. Watch out for the publication of regulatory guidance and keep an eye out for updates on the promised EU e-Privacy Regulation governing electronic communications.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.