It’s been an eventful year as organisations ramp up to meet their GDPR obligations. In that time we’ve spoken with numerous customers about how they’re preparing and it’s clear that for many there’s more to do than they originally thought. This insight is also backed up by research we did with DataIQ in early 2017 stating that only 1.9% of organisations felt they were “not at all” prepared for the GDPR. This year that has increased to 3.1% which points to better awareness and understanding of their own readiness and the true extent of what is really needed to be ready.
So, with that in mind, our GDPR event programme was borne. An initial series of roundtable events has snowballed and we’ve had the pleasure of speaking to hundreds of attendees from organisations of all shapes, sizes, and industries – all hungry for support with their preparations.
I’ve hosted many of these events and what really hit home was how many organisations still aren’t clear on how to tackle common challenges. We see some of these questions coming up again and again, so I’d like to give you a brief summary of the most common.
1) How often should we do an assessment of our data or do a cleansing exercise?
Having a good foundation of data quality is very important for GDPR compliance. We always recommend that customers do an initial assessment. Our own GDPR Data Readiness Assessment gives you a good picture of the quality, accuracy, and integrity of your data. From there, you can identify what actions to address to meet the standards you need for GDPR compliance. Following this, an initial data cleanse will get your existing data back up to a good standard. Then, you should consider creating a data quality firewall by implementing contact validation solutions at the point of capture that will ensure that you only put good data in going forward.
The last step is to build data governance processes to keep the data fit for purpose by agreeing on some data quality KPIs and associated rules. You can then implement a monitoring mechanism to ensure that where data falls outside of acceptable parameters, you’re able to rectify quickly and easily.
2) How many SARs requests should we be geared up to respond to in one month?
Unfortunately, there’s no magic number and it will vary from business to business. It is, however, important to stress test your ability to manage and meet requests to show you how many you could handle in one month with a usual workload. Given that consumer awareness of the GDPR is only likely to grow, being able to respond to 1% of your customer base is a good rule of thumb. It’s well worth looking at mechanisms to improve this such as automating the process or using digital channels (e.g. a self-service web portal) to not only receive the request but send information back to individuals.
One of the most important things you can do however is lay the best possible data foundations for this by implementing a Single Customer View. Being able to locate all the information you hold on any given person will profoundly simplify any requests you do get.
3) Should we be getting retrospective consent or can we rely on legitimate interest?
Processing data under the GDPR is a hot topic and there has been a lot written on the subject. It’s fair to say that in a marketing context it’s common (but by no means always the case) that either consent or legitimate interest will have been how data has been managed in the past.
It’s really important however to point out that there are six legal bases for processing data under GDPR and organisations must take a step back to consider all six and which is the most appropriate for them. A good place to start is the ICO website. Only once this is decided can the organisation build an appropriate permissions strategy that combines policy, data, and technology and also supports the process for data subjects objecting to processing. In many cases, consent and permissions data for a wider permissions strategy can be managed by a platform such as Consentric by MyLife Digital. We recently ran a webinar with MyLife Digital on Consent and Data Quality for the GDPR. You can view that here.
4) Is there some form of “GDPR Ready” stamp from the ICO to help us validate our plans?
I’m afraid that GDPR isn’t black and white and until GDPR compliance is tested in a court of law there are still many unknowns about the regulation. You do however need to be able to demonstrate to the ICO that you are taking steps to keep your data accurate and up to date and track these activities. Having a well thought-out, ethical data management strategy is one of the best ways to lay the foundation for GDPR compliance, not to mention the list of benefits that comes with it. If you don’t know where to start, then something like a Data Readiness Assessment is a tangible document which can identify and prioritise where to focus your efforts and help you benchmark progress.
Not surprisingly, these common questions all display an attempt by organisations to understand exactly what the articles of the regulation mean and what is expected of them in terms of their processes and procedures. Interestingly businesses are now really zeroing on quite specific elements within them as they get more into the nitty-gritty of their prep.
In the lead up to May, we’re continuing our event programme with some new events being launched soon – giving you plenty of opportunities to ask our data management specialists your burning GDPR questions.
In the meantime, we recommend listening to our latest Data Readiness for GDPR webinar for a general look at preparing your data for May 25th. Or if you’d like to have a one-on-one chat with one of our data management specialists please let us know.
Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.