What GDPR means for your communications program
The new General Data Protection Regulation, or GDPR, comes into force on May 25th 2018, and replaces all existing data protection laws across Europe and the UK. Its harmonization of European law helps simplify the broad range of data protection-related concerns that marketers have needed to consider, but it also represents a fundamental shift in how personal data is collected, stored, and processed. Your organization is most likely already taking steps to ensure compliance ahead of 25th May, but do you know what GDPR means for your communications program?
The Scope of GDPR
Firstly, GDPR will affect most organizations in the scholarly and professional publishing / membership sector, as its scope encompasses both organizations that are established in the EU, and any organization that collects and processes the data of living EU citizens. Whether you work for a US-based professional society that has members from Europe, or an EU-based publishing house that sells journals and books content to countries around the world, you’re expected to comply with GDPR. Much has been made of the penalties that non-compliance can bring – up to 4% of global annual turnover or €20m, whichever is higher, for the most serious breaches – so there are clear risks for organizations that don’t take it seriously!
Secondly, the GDPR’s definition of personal data is deliberately broad – it covers any information that, alone or in aggregate, can be used to unambiguously identify an individual. This includes IP addresses, business email addresses, and other information that organizations routinely collect, store, and use (both manually and automatically) to provide services and personalize communications. Organizations are approaching this by conducting a full data audit – reviewing all their systems, processes, and storage mechanisms to understand the scope and scale of personal data they have on record.
From a marketing and communications standpoint, the major change is around how the Regulation expects you to obtain personal data and inform individuals about how that data will be used, how long it will be held for, and their rights as ‘data subjects’. In practise, this means that unless your previous privacy policies already meet the strict requirements of GDPR, any contact lists you’ve built up over the years are no longer valid for use after 25th May 2018. This presents an opportunity to re-engage your contacts ahead of time and point them towards a new, GDPR-compliant privacy policy with the benefit that those individuals that opt in will be highly engaged with your communications, leading to stronger response rates once your lists are cleaned and ensuring that your marketing database is fully up-to-date.
GDPR-compliant privacy policies
Drafting a new privacy policy with GDPR in mind means being fully transparent about the data you’re collecting, the purposes it will be used for, how long you’ll keep it on record, and who you might be sharing it with. So far, so standard – but you also need to bear data minimisation in mind. In practice, this means that if you don’t have a valid reason for collecting a specific piece of data, you shouldn’t be asking for it. Date of birth is one example: consumer brands might want to send a customer a discount voucher on their birthday, and could therefore argue that collecting their birth date is a valid use of personal data; a membership organization that offers no special benefit or service related to an individual’s age or date of birth has no valid business reason to collect or process this information.
To be fully GDPR-compliant, your policy must also inform individuals of their rights as data subjects, including the provision of contact information for your company, should they want to update their personal data or have it deleted; how to register a complaint with your organization’s supervisory authority; and how to request access to their data. It’s this final aspect which many organizations might struggle to comply with at present, as these ‘Data Subject Access Requests’ cover all forms of personal data (including paper records, emails, records of data processing and appropriate security measures) and must be satisfied within one month of request. Handling such requests will require training throughout your organisation, as they can be issued to any representative of your organization and by any method of communication. That means that a director needs to be able to recognise a request made as part of a telephone discussion just as much as a marketing manager representing your organisation at a conference.
Next steps for compliance
GDPR might seem daunting due to its scope, and the scale of measures required to comply will vary from one organization to the next – especially as information security is at the core of what the GDPR expects of every organization, yet smaller societies and publishers may not have robust processes in place at present.
The very first step is to ensure your leadership team are aware of GDPR, and that compliance measures are spearheaded by a nominated Director. Your organization will also need to conduct a thorough audit of your systems and processes against a standard information security framework such as ISO27001, and also audit your data flows to develop a clear understanding of what personal data you hold, where it’s stored (both in terms of systems and its physical location – GDPR expects the data of EU citizens to be held on EU-based servers), who has access to it, and how it’s used. While these audits are proceeding, it’s also a good idea to review your privacy policies with GDPR in mind, and launch campaigns to ensure your marketing contacts are opted into future communications through GDPR-compliant methods.
GDPR is a complex topic, and no single blog post can hope to cover all the angles. If you’re going to be leading the charge on GDPR for your organization, you may wish to undertake a dedicated training course – there are numerous providers that offer both face-to-face and distance learning options. But if you’d like to demystify some of the jargon and get a deeper understanding of the Regulation beforehand, we’ve prepared a GDPR Glossary and Useful Links document that you can download free of charge, and you can also contact us if you have any more questions about what GDPR might mean for your marketing and communications program. We’ll also be covering more aspects of the GDPR and its impact on marketing and communications in the TBI Newsletter – make sure you’ve signed up here.