When the General Data Protection Regulation (GDPR) was announced in April 2016, the 2018 deadline seemed an eternity away. But now there are just 30 days until GDPR comes into effect, so getting compliant needs to be a top priority for all businesses who deal with data of EU citizens.
It might seem like if you’re not ready for GDPR now then you’ll never be, but it’s important to keep pushing on. Here are 5 quick GDPR wins you can make in the next 30 days to get compliant.
1. Audit your policies
Hopefully, you’ve spent the last 2 years examining your processes and getting them GDPR ready. Now it’s time to make sure all your customer-facing policies reflect those changes.
Under GDPR, your privacy policies need to be easily enforceable, clear and concise. They must outline:
- How you use your customers’ data, which means listing any and all third parties you pass data on to (such as external loyalty schemes or even something as simple as Google Analytics)
- Where data is stored, naming your data protection officer and explaining to customers how they can opt out of your communications
In the next 30 days, take time to go through all your privacy policies and make sure they’re up to scratch.
2. Re-collect opt-ins for old customers
Once GDPR comes into force, you’ll only be allowed to contact and continue processing existing customers if they were acquired in a GDPR-compliant manner. That means if you used pre-ticked checkboxes to grow your marketing communications list, you’ll no longer be able to contact those customers come May 25th.
But all is not lost. While many businesses are scrapping old and unengaged customers entirely, you can (and should!) make an effort to re-engage them and get consent. In the next 30 days, you can contact your customers and ask them if they still want to hear from you. Remember, unless you have gained consent to contact them, you won’t be able to contact them after May 25th.
You can also use this as a chance to gather more in-depth information about your customers. Some businesses are sending out preference surveys to customers to find out what kinds of products and topics they’re interested in. Not only will this allow you to target your customers with more personalised communications in the future, but it will also allow you to build up ‘legitimate interest’ – a viable alternative to consent under GDPR.
3. Make it easy to withdraw consent
Under GDPR, you need to make it as easy for customers to withdraw consent as it is for them to give consent. Your customers also must be able to request that you remove all their personal data (the right to be forgotten).
Take the time to go through your current opt-out or unsubscribe systems and make they’re clear and easy to use. Customers should be able to opt out of one or all methods of communication and understand exactly what they’re opting out of. You need to make sure this information immediately feeds into your database, so you don’t accidentally contact a customer after they’ve opted out. If removing a customer from your database takes time, make sure you clearly explain this on the opt-out page.
4. Check your staff are ready
GDPR isn’t just about systems and processes – it’s also about people. Spend the next 30 days making sure all your staff are ready for GDPR and understand how the changes impact them and their role.
Hold last-minute meetings to make sure everyone is prepared, answer any questions your teams may have, and conduct any necessary training. GDPR certainly requires a big shift, but as long as you’re prepared for those first few access requests, you’ll be able to confidently navigate the change in legislation.
5. Keep going
Most GDPR advice centres on getting ‘GDPR ready’ – but it’s important to remember that the work doesn’t stop on May 25th. Once GDPR comes into force, you need to keep evaluating your systems, iron out any kinks in the new processes and ensuring continued compliance.
May 25th, 2018 will come and go, but the GDPR regulation is here to stay.
Watch our GDPR webinar for more practical tips
Get advice on streamlining preparation, ensuring compliance and capitalising on opportunities: