What GDPR means for your communications program
The new General Data Protection Regulation, or GDPR, comes into force on May 25th 2018, and replaces all existing data protection laws across Europe and the UK. Its harmonization of European law helps simplify the broad range of data protection-related concerns that marketers have needed to consider, but it also represents a fundamental shift in how personal data is collected, stored, and processed. Your organization is most likely already taking steps to ensure compliance ahead of 25th May, but do you know what GDPR means for your communications program?
The Scope of GDPR
Firstly, GDPR will affect most organizations in the scholarly and professional publishing / membership sector, as its scope encompasses both organizations that are established in the EU, and any organization that collects and processes the data of living EU citizens. Whether you work for a US-based professional society that has members from Europe, or an EU-based publishing house that sells journals and books content to countries around the world, you’re expected to comply with GDPR. Much has been made of the penalties that non-compliance can bring – up to 4% of global annual turnover or €20m, whichever is higher, for the most serious breaches – so there are clear risks for organizations that don’t take it seriously!
Secondly, the GDPR’s definition of personal data is deliberately broad – it covers any information that, alone or in aggregate, can be used to unambiguously identify an individual. This includes IP addresses, business email addresses, and other information that organizations routinely collect, store, and use (both manually and automatically) to provide services and personalize communications. Organizations are approaching this by conducting a full data audit – reviewing all their systems, processes, and storage mechanisms to understand the scope and scale of personal data they have on record.
GDPR-compliant privacy policies
To be fully GDPR-compliant, your policy must also inform individuals of their rights as data subjects, including the provision of contact information for your company, should they want to update their personal data or have it deleted; how to register a complaint with your organization’s supervisory authority; and how to request access to their data. It’s this final aspect which many organizations might struggle to comply with at present, as these ‘Data Subject Access Requests’ cover all forms of personal data (including paper records, emails, records of data processing and appropriate security measures) and must be satisfied within one month of request. Handling such requests will require training throughout your organisation, as they can be issued to any representative of your organization and by any method of communication. That means that a director needs to be able to recognise a request made as part of a telephone discussion just as much as a marketing manager representing your organisation at a conference.
Next steps for compliance
GDPR might seem daunting due to its scope, and the scale of measures required to comply will vary from one organization to the next – especially as information security is at the core of what the GDPR expects of every organization, yet smaller societies and publishers may not have robust processes in place at present.
The very first step is to ensure your leadership team are aware of GDPR, and that compliance measures are spearheaded by a nominated Director. Your organization will also need to conduct a thorough audit of your systems and processes against a standard information security framework such as ISO27001, and also audit your data flows to develop a clear understanding of what personal data you hold, where it’s stored (both in terms of systems and its physical location – GDPR expects the data of EU citizens to be held on EU-based servers), who has access to it, and how it’s used. While these audits are proceeding, it’s also a good idea to review your privacy policies with GDPR in mind, and launch campaigns to ensure your marketing contacts are opted into future communications through GDPR-compliant methods.
GDPR is a complex topic, and no single blog post can hope to cover all the angles. If you’re going to be leading the charge on GDPR for your organization, you may wish to undertake a dedicated training course – there are numerous providers that offer both face-to-face and distance learning options. But if you’d like to demystify some of the jargon and get a deeper understanding of the Regulation beforehand, we’ve prepared a GDPR Glossary and Useful Links document that you can download free of charge, and you can also contact us if you have any more questions about what GDPR might mean for your marketing and communications program. We’ll also be covering more aspects of the GDPR and its impact on marketing and communications in the TBI Newsletter – make sure you’ve signed up here.