Delve Into GDPR - Questions & Answers

 

“The GDPR will put greater obligations on employers on how they use their employees’ personal data and how they look after it. 

Employers will have a greater obligation to be transparent about how they use their employees’ personal data. They will be required to issue a new “information notice” to their employees which will need to detail, amongst other things, what kind of personal data they hold, what legal grounds do they use it for and informing employees about their new enhanced rights under the GDPR. 

These new rights include the “erasure” right (right to be forgotten), amended subject access rights and the right to appeal any decision based on automated decision-making.

Employers will also have a greater obligation to be accountable about how they use personal data, and be able to demonstrate their compliance – in short this means a much greater record-keeping obligation and ensuring that staff are properly trained in their responsibilities under the GDPR.” 

 

“Because of the lack of clarity in some of the drafting of the GDPR, and the slow release by the regulators of any useful guidance, it is going to be very difficult for businesses of any great complexity to say they are 100% GDPR compliant by 25 May 2018. But it is important that they nevertheless try to move towards compliance as quickly as possible – we suggest taking a risk-based approach and prioritising those areas where the business faces the greatest exposure or liability.”

 

• demonstrating that they are taking data protection seriously – up-to-date policies, record keeping and staff training are all important elements of this

• ensuring that the public-facing information notice reflects the reality of how the business actually does use and treat personal data behind the scenes

• ensuring that the business has proper organisational and technical measures and policies in place to keep personal data safe and secure – having a robust information security policy which is actually adhered to throughout the business is part of this

• making sure that if the business were to suffer a security breach (ie. in short where personal data was accessed outside of the organisation without authorisation) you would be able report this to the regulator (the Information Commissioner’s Office) within 72 hours of becoming aware of this breach

• making sure that, where personal data is processed on your behalf by an external organisation, you have contracts in place that meet the requirements of the GDPR

Failure to comply with the GDPR could expose the business to fines (potentially up to 4% of annual turnover or €20m, whichever is higher), claims for damages from individuals, but perhaps more damagingly, loss of reputation

 

Answer provided by CIM (Chartered Institute of Marketing), who has worked in association with Me Learning to launch a tailored GDPR online course for marketers – GDPR for the Marketer. More details can be found at www.melearning.co.uk/gdpr . Nick Richards, CEO at Me Learning is a member of the GDPR Advisory Board 

“GDPR has an impact on a wide range of marketing activities including how data is used, how customers are contacted and how data is held – which in turn affects email marketing, loyalty schemes and general marketing activities. With potential fines for non-compliance amounting to €20 million (or 4% of a business’s global annual turnover), GDPR needs to be taken seriously and embraced by all organisations quickly and with diligence. It’s not all doom and gloom, marketers in particular should see the positive side of the new legislation, which provides a once-in-a-generation opportunity to wipe the slate clean and radically overhaul the way customer data is collected and used.

 

Now is the ideal time for marketers to persuade their organisation’s financial team to invest in new data analytics tools – perhaps even those with predictive analysis and artificial intelligence (AI). By populating these tools with only the most important, useful and legally compliant data, organisations will be able to operate in a far smarter manner – securing higher response rates for email marketing and driving closer relationships with customers in loyalty schemes.

 

Data rationalisation should mean an end to customers getting multiple email mailshots because they appear more than once on a database (or are duplicated across legacy databases). Furthermore, having a single, consolidated view of the customer should also facilitate more informed responses when that customer engages with a call centre or other service point.

 

It’s worth remembering when looking to deploy an email marketing campaign that after May businesses will no longer be able to include a pre-ticked box, which the customer must untick in order to opt out of consent. Instead, the customer must actively choose to opt in, giving their consent freely and of their own accord, without coercion, undue incentives or penalties. As such, gaining this GDPR-compliant consent should be among your organisation’s top priorities in the run-up to the legislation’s launch.

 

Training is important when it comes to GDPR. In many cases GDPR requires a cultural shift in organisations that ensures personal data is handled appropriately – and this just as important for the marketing team as it is the receptionist. Training enables this transition to take place across the company – and if you are questioned over GDPR compliance, prove that training has taken place is a very good step to show intent for compliance and might help avoid unwanted fines. 

 

There are many classroom courses available for GDPR but these can be costly and limiting. E-learning provides a cost effective solution to train a large number of the workforce in a consistent manner (good for new starters) without taking employees out of the office to do so. Me Learning has teamed up with legal experts at Clayden Law to produce a range of easy-to-understand and legally compliant GDPR e-learning. To find out more visit www.melearning.co.uk