GDPR compliance can be straightforward but take it seriously
It is almost impossible to ignore that GDPR compliance is a hot topic right now and companies are taking it very seriously, which is understandable. In fact I recently received an email asking if, “due to GDPR compliance” they could “keep my email”. I think this particular individual (or company, if this is a business directive) may be over-doing it a bit. I would argue that as I sent the original email I have provided the required “explicit consent”. However, this email exchange serves to make a point, it demonstrates just how seriously people are taking this.
Here are some common sense tips around GDPR compliance:
- You’ll probably need a team to help with this project to ensure it gets the focus it needs. I would recommend establishing a team leader for this.
- GDPR compliance relates to personal information so it is important to understand what data you have and that it’s “personal”. It includes more than just names and email addresses. It is anything that can be used to identify a person; an IP address is a modern example of personal information.
- Make sure you ask permission to retain a consumer’s personal information, and make sure you only retain their records for one year. Unless of course you get re-consent/permission to continue, this can include continued engagement depending on what your business does.
- Deal with unsubscribes and opt-outs quickly.
- Secure your personal data with modern encryption methods.
- Ensure that the only employees that need to have access to personal data can do so. This will also prevent data theft from disgruntled employees.
- Check your commercial agreements as they may need updating. This is particularly important if you are sending data elsewhere including via APIs or into a cloud software.
- Check your supplier agreements and solutions. Some of your suppliers will have created additional features for you. For example, if you are a Salesforce customer then you have access to data controls, so speak to your administrators.
- Keep messages clear and be transparent. In the footer of your emails it might be enough to explain that emails are retained for example.
- See what industry specific documentation exists. There are different standards recommendations depending on what your business does.
- Lastly, seek professional advice.
This list is not exhaustive and it represents my basic views and opinions only. GDPR compliance experts will ensure that you are on the right track, and that you don’t overdo it.