Keep calm and comply with GDPR by completing this action plan.
The General Data Protection Regulation (GDPR) is a new piece of data protection regulation that will become law across the EU on May 25, 2018. The new regulations within GDPR will give consumers greater control over how their personal data is used by improving on current legislation and should help improve trust in the digital economy.
If your company is found to be in violation of GDPR, you could see fines of up to 20 million euros or 4 percent of your total topline revenue — whichever amount is higher.
To say the least, it’s in your best interest to comply with GDPR.
Since GDPR doesn’t come with a compliance checklist, we’ve created one for you. On March 20, 2018, in collaboration with the Marketing Technology SIG and the International Legal Technology Association, LMA hosted a webinar titled “Navigating the Inbox: Understanding How GDPR Impacts You (Yes, Even You!).” The session was led by two speakers who are actively working to prepare their firms for GDPR: Sunny Bane, director of marketing operations at DLA Piper, and Michelle Woodyear, director of digital marketing at Covington & Burling LLP. This webinar offered useful GDPR action items legal marketing professionals can begin to address now.
This article is informed by our webinar, but it is important to remember there are a variety of perspectives on GDPR. We highly encourage you to seek out a number of different voices in order to best prepare for the regulations, including legal counsel.
Now, let’s get to what you want: an action plan.
1. Assess your current data.
If you have even one contact in your database who is an EU citizen, your communications with them must adhere to GDPR conditions. The very first thing you must do for GDPR preparation is to assess your current data. If you’ve been lax with recording contacts’ countries in your database, it’s time to fill in the gaps.
But before scrambling to add in the countries for everyone currently in your database, we recommend you use the need for GDPR compliance as a spring cleaning opportunity. Are there any contacts in your database who have been gathering dust for years? If no one at your firm has a current relationship with a contact in your database, just delete them. It will save you time and help reduce your liability exposure.
For the contacts you do want to keep, do your research and fill in the blanks. Once you’ve done so, segment out lists by country to help you keep in line with GDPR.
2. Obtain explicit consent.
In order to comply with GDPR, you will need to obtain “explicit consent” from your EEA citizen contacts. (EEA stands for the European Economic Area, which includes all EU countries as well as Iceland, Liechtenstein and Norway.) This “explicit consent,” as specified by GDPR, must pass four tests. The consent must be:
- Freely given – Contacts cannot be coerced into checking a box. You cannot say, “In exchange for X service, you have to agree to receive all of our marketing mailing.”
- Specific – You must tell the consumer specifically what they are going to receive and how their data will be used if they opt in to your mailing list.
- Informed – If someone downloads a white paper from your website, you cannot just add their information to your database.
- Unambiguous – Consumers have to proactively respond by checking a box that says, “Yes, I understand what I’m getting and how my data will be used, and I am signing up for it.” No pre-checked boxes!
You will need proof of this explicit consent. This could mean screengrabs of where and when someone has consented, but the best proof is a consent form, safely stored where they can be accessed as required.
3. Don't forget ongoing consent.
GDPR isn’t a one-and-done deal. Moving forward beyond May, it’s a good idea to adopt a culture of opt-in. Modify (or create) your mailing subscription form to include:
- Purpose for collecting a consumer’s data
- Clarity on what a contact will (and will not) receive
- Affirmative opt-in (remove any pre-ticked boxes)
- Include an opt-out option
Utilize your CRM to record the date and type of consent. Automate as much as possible moving forward.
You could also consider updating all your templates (e.g., newsletters, invitations) with subscribe links to keep the option as visible as possible. Consider adding opt-in opportunities to web and social media posts as well.
4. Organize your data.
Delete any personal identifiable information that is not essential for the delivery of services. This includes special protection categories like gender (even designations such as Mr. and Mrs. may indicate gender). A good rule of thumb is to look at your information fields and ask, “Would our firm be embarrassed if any of this became public?” Children are very specific area of concern in GDPR, so be sure to pay close attention to any family data you hold.
Build out a suppression list with contacts in the EU (or could be in the EU, if you’re unsure) from whom you have not obtained the explicit consent explained in section 2 of this article. Use technology to automate this process whenever possible to reduce strain and maintain consistency.
You’ve probably been hearing about the “right to be forgotten” element of GDPR. Essentially, your contacts protected under GDPR have the right to request their data be wiped from your database “without undue delay.” If a contact of yours makes this request, hide that contact’s information from everyone but administrators. Delete everything but their name and email address so that they don’t immediately go back into your database, and notify everyone at your firm associated with that contact. Keep an audit record in case an individual’s claim that they exercised the “right to be forgotten” were to ever become a legal issue.
Contacts protected under GDPR likewise have the right to “portability” ― they can request their data you hold be provided to them in a standard format (e.g., .CSV file). Make sure this is something you can easily and quickly do.
One final thing you should note is that it is the responsibility of legal marketers to worry about the data we are utilizing and processing – and only that data. We do not have to tackle attorneys’ client information ― that is up to them and legal counsel unless the data is then shared with the legal marketing team for communications purposes. Keep your attorneys informed on what you’re doing and why, but you shouldn’t necessarily feel the need to do their work. Assess your firm culture and move forward accordingly.
5. Reduce liability.
If there were to be a breach at your firm, and your contacts’ data fell into the hands of another party, you’re on the chopping block. Begin to restrict access to key data functions and information; make it as difficult as possible for people to export data.
Of course, no matter how diligent you are, there is always the possibility of a breach. Meet with your internal general counsel and determine a procedure for reporting a breach. Train your staff and regularly review the procedures so that if there is a breach, you can address it with a level head and minimize damages.
Documentation is the best thing you can do to reduce liability under GDPR. Document your consent forms, your breach procedures, and your erasure requests and completions. Document all your pre-GDPR preparation work. While you’re at it, check with your third-party vendors — your CRMs, ERMs, mailing platforms — to ensure they have GDPR policies in place. Get a copy of their policies for your record, and see if they have any resources they’re willing to share to help you with compliance.
6. Keep calm.
Spring cleaning has never been so stressful, but breathe. As long as you’re doing the proper preparation work and documenting appropriately, you shouldn’t be losing sleep.
If you want more information, set aside a lunch hour to watch the full LMA webinar by which this article is informed. And again, we highly encourage you to seek out additional perspectives on GDPR preparation. The more you know, the better you can prepare and the calmer you’ll be.
Keep calm and comply with GDPR!