The General Data Protection Regulation (GDPR) has been law across the EU for a year now. Here, we look at the impact the legislation has had and offer a four-step procedure for making your data policy compliant.
Many businesses underwent considerable alteration to their marketing practices in the past twelve months. A recent poll of IT decision-makers by CybSafe, concluded that just 57% of companies say they are compliant with the GDPR.
The EU’s GDPR survey found business leaders “confused by the more technical aspects of data security,” citing end-to-end encrypted email as an example, where just 9% could quote a service with this built in.
The up-side is that, one year on, the onerous fines foretold by the scaremongers haven’t materialised – except for one or two notable exceptions, like Google in France. Quantcast is also currently under investigation by the Irish Data Protection Commission.
What has happened in the past 12 months?
The most recent research, from February 2019, reported 59 000 detected data breaches but only 91 levied fines. Leading authority on GDPR, Tim Hickman, says, “It isn’t that [fines] are not coming, or regulators are not taking it seriously. It’s because it takes time and they’re worried about being challenged in the courts.” Companies do challenge the large fines too, as the legal fees for these challenges are less than the fines or even just the amounts the fines can be reduced. This is making the authorities take more time to ensure their cases are watertight.
The technology sector was the obvious first sector to target and, sure enough, they’ve taken the brunt of it. However, the large firms saw this coming, armouring themselves with the best and biggest law firms.
Another trend is for the GDPR to be used against companies by their ex-employees. They submit a subject access request, causing significant cost, inconvenience, lost time – i.e. general nuisance – to the company. For your best protection, drill yourselves regularly on extracting such information – devoid of others’ details and minimising time and cost.
Procedure for producing a data policy
You think you had everything ready for GDPR back on 29 May 2018? Not likely!
Many say it’s now that the real work is starting. Companies made their existing data compliant. However, their data policies still often say they will hold onto your data “until you tell us not to”. This is now illegal: data must be held for the shortest possible time.
Given that databases are designed to be repositories of (contact) information, not deleted systematically, this change is painful, so here are
4 steps to ensure compliant storage and erasure of contact data
1.) Delete on the basis of segmentation
Most probably, new contacts will be stored in your database for different purposes, each purpose having different expiry periods, e.g. guarantee warranties will live much longer than delivery details.
One suggestion is to divide your data between ‘actives’ – those entering your contact database through their own decision – and ‘passives’ – those you’re marketing to or involving in other normal business activity. Most contacts are passives unless you control the market. Passives will want deleting sooner than actives.
2.) Use one record per contact
In line with that policy, as a new contact enters your database(s), assign it a deletion date. Marketing automation is ideal for implementing this.
3.) Each time a contact interacts with you, amend the deletion date
Set up your database to update the contact’s deletion date automatically each time the contact does something, as necessary for the type of interaction.
4.) Clean your data regularly
On a regular basis (e.g. annually), extract details of all contacts whose deletion date is in the past. Check whether there’s not some reason outside of the system for keeping the data (e.g. recent calls or emails with sales reps or other ongoing sales reasons). Once everything is clear, delete the contact(s).
Data Security: Beware
Assume you’ll be hacked or suffer a leak. Almost two-thirds of UK businesses have suffered a cyber attack in the past 12 months alone, 75% of U.S. healthcare system with malware, etc..
The bottom line is, if you can show you’re doing your best to be compliant and to protect your database, if and when you suffer a cyber-attack, you’ll be better-placed than not doing so. Automation will handle the physicalities of compliance better than trying to do it manually.
