GDPR is here and many businesses have (or are busy to) put processes in place to comply with the new regulations. However, if you recently came aware of GDPR or ask yourself why you need to comply to these regulations, you’ve come to the right place.
GDPR in a nutshell
To get you up to speed, we’ve provided a short high-level video explaining what GDPR is and what it means to your business:
Not a fan of video? Don’t worry, we got you. The rest of this article tackles the same points a bit more in-depth. So.. let’s get right into it.
What is GDPR?
In its shortest version GDPR or the General Data Protection Regulation is a new EU-legislation which came into effect at 25 May 2018. It serves the purpose to protect any individual’s personal data that businesses process. So it’s safe to say that this applies to almost any business, even smaller ones.
GDPR sees ‘personal’ data in a broad way, making IP-addresses, cookies, … subject to the GDPR-guidelines.
Many businesses may think these rules are ‘new’. Well this is not completely true. The GDPR guidelines actually take the old privacy laws from 1992 and fine-tuned them to today’s way of working. And if we are honest with ourselves, we know that this is a good thing. The internet we know back then evolved to the internet is today. With social media, internet banking, cookies, trackers, …
Secondly, most people aren’t even aware how much personal information they reveal about themselves that are being processed by businesses. Which leads to various cases and huge media exposure when leaks or breaches happen.
In addition to this, we need explicit – and active consent of individual before we can send them any sort of marketing communication (via email). So having a checkbox pre-checked is not compliant with the GDPR guidelines.
Here’s an overview of the ‘new’ rights individuals have regarding their personal information:
The ‘new’ rights of the individual
- The right to access: Any consumer, from who you store data, has the right to request access to their personal data and ask how and where this is used. Therefore, you must be able to provide a copy of that individual’s personal data, free of charge and in electronic format if requested.
- The right to be forgotten : If a consumer is no longer a customer or wishes to withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
- The right to data portability: Consumers have the right to transfer their data from one service provided to another. This must happen in a commonly used and machine readable format.
- The right to be informed: Consumers must be informed before their data is gathered. Moreover, they must give their explicit consent (or opt-in) which must be freely given rather than implied.
- The right to have information corrected: Consumers must be able to updated their information when needed. This for be for outdated, incomplete or incorrect data.
- The right to restrict processing: Consumers can specifically request to not use their data for processing-purposes. Businesses, however, can still store their information but not use this.
- The right to object: Consumers have the right to stop the processing of their data for direct marketing actions. Whenever this request is received, the processing must stop immediately. There are no exceptions to this. Furthermore, this right must be made clear to consumers at the very start of any communication.
- The right to be notified: If there has been a data breach which contains a consumers personal data, the consumer has the right to be informed within 72 hours of first having become aware of the breach.
What we can take away from this is that we need to give individuals complete control over their personal information. Which makes sense.
Act and comply.
For your business to be GDPR compliant, means to give the individual complete control over their personal information. However, before you can do so, you need to undertake a few actions:
1) Assess your current data streams and map your business processes
If your business collects personal information, it is important to know where, what and why you collect that information. Some questions you could ask yourself are:
- Where do we collect data? Which channels do you use for data collection? For example: do I capture data on my website, banners, social media via cookies, trackers, …
- What data do we collect? Which information do we capture via these channels? For example: First Name, Last Name, Interests, Email, Phone, …
- Why do we collect this data? Is all the personal information that you capture relevant to perform your business activities? For example: do you need to capture someone’s food interest if you are selling shoes?
For any of these, businesses need to be clear and transparent to the outside world. And making the control of this processing as simple as possible.
This step includes checking your processes and identify where to make changes.
Do you know which individuals have given consent to your communication? Do they know what you do with their data? Is it as easy to opt-out from your communication as it was to opt-in? Is there a process in place that handles data requests? …
In addition, scheduling awareness-sessions for your employees helps. It’s the business that needs to be GDPR-compliant and your workforce handles your business.
3) Adapt, if needed, your current business flows to comply with GDPR.
The benefits (long-term)
Initially, GDPR may seem like a lot of work. However, if you adjust your business to comply with these regulations your business will benefit from these adjustments in the long-term. Look at it from this way, with GDPR:
- (Almost) every contact in your database is truly interested in your products or services;
- The campaign reports will increase significantly;
- All of your processes will flow seamlessly across all channels, leaving no room for gaps/breaches;
- Your customers feel comfortable that you process their personal information;
- You are a trusted & secure partner;
- And so on..
Much of the benefits from GDPR stack upon each other. Which makes sense because it serves the same goal.
A practical example: Our GDPR approach
A ‘perfect’ example of preparing (or complying) to this regulation doesn’t exist. Because every business is different and processes different kinds of data. The amount of time and effort businesses invest can vary.
The only guideline you have is to be as clear and transparent as you could be. But to give you an operation example, we’ll guide you through our GDPR-approach.
Step 1: We mapped our data streams
We analyzed the channels we use to capture information from and how that information flows through to our database. However, we only use channels like social media or email to redirect persons to our web-portal. So we capture no information via these channels, only via our web-portal. Which made it quite straight-forward for us where we needed to make adjustments.
We’ve outlined what we do with a person’s information in the most clear and transparent way we can. Moreover, we clustered this information into 4 sections so individuals can quickly navigate through the information:
- Trust Policy: which outlines that the protection of personal data is our top priority.
- Data Collection: which gives an overview of what data we collect and why we do so.
- Your rights: which reminds individuals what rights they have regarding their personal information.
- Requests: where individuals can act upon their rights.
- FAQ: frequently asked questions.
And in the footer of our email communication:
Step 3: We’ve set up a request process
Inside the request tab we’ve set up a process that handles each request. When an indvidual makes a request: he will receive an e-mail confirming that we received his request.
Step 4: We’ve gathered opt-in
We’ve launched an opt-in campaign to our database to gather their opt-in. In addition, we’ve added an explicit opt-in checkbox to our registration forms.
And that’s it!
By doing this we’ve taken the necessary steps to comply with the GDPR and gave full control to the individual over their personal data. And we have been able to do is with native functionalities from Salesforce. If you are interested in how Salesforce can help your business be GDPR compliant If you wonder how your business can approach GDPR with the help of Salesforce, we’re just one click away.