Europe's newest data privacy legislation has the power to impact entire organizations around the worldThe General Data Protection Regulation (GDPR) tightens the rules and raises the bar when it comes to data handling, including in your marketing department. From communication consent to the "right to be forgotten," marketing plays a large role in reaching GDPR compliance.

1. Know What You Own

Just like your organization’s web teams and IT departments, start by knowing what you and your team are responsible for.  

What software are you using? Where does your database of contacts live? What other third party tools or applications do you use that contain prospect, customer, or employee data?  

Ask your team those questions, and create an overview of the following: 

  • All software, tools, and applications and the purpose of each 
  • Which employees have access to personal data in any format (physical documents or online data) 

Determine which team members require access to these tools and data on a "need-to-know" basis considering their job function. If anyone falls into the “nice-to-know” category, consider limiting their access to reduce the risk of exposing data.

2. Map Out All Processes

Your team likely handles personal data daily, particularly on your website. Be it employee data, customer and prospect information, or data residing with third party vendors, get a handle on every relevant process you perform in marketing. Then, detail how the data is handled internally and externally across these categories: 

  • Transit – How is data transferred within your company and to external parties? 
  • Storage – How and where is data stored and safeguarded? The geographical "where" is important in GDPR because not all countries are considered adequate enough to handle personal data. 
  • Retention – How long is data kept and why? If the data does not fulfill a certain purpose, it should be deleted. 
  • Deletion – How is data deleted? (Physical and online data) 

According to GDPR, your organization must be able to respect a data subject's rights by modifying their personal data for accuracy, deleting it altogether (known as "the right to be forgotten"), or transferring it to another entity by direct request. By mapping out your processes and knowing where all data lives, you can help prepare your organization for GDPR compliance and be quick to respond to such requests.

3. Get Used to Opt-in Communication

Luckily, GDPR recognizes the benefits and necessity of marketing. However, the data protection legislation raises the standard for communication consent. Your prospects and customers can no longer opt out of receiving content from you—they must voluntarily opt in to all communications, similar to Canada’s existing Anti-Spam Law. 

Under GDPR, consent should be freely given, specific, informed, and unambiguous. In other words, people’s consent must be explicit—whether you ask for consent as soon as they arrive on your website, or find another way to ask for consent, it has to be done.  

Somewhere on your website, you must also outline exactly how you intend to contact them and handle their data. To comply with GDPR, you must also be able to provide proof that your contacts gave their consent.

4. Create a Response Plan for Data Breaches 

According to the Breach Level Index, 10.5 million data records were compromised in the first half of 2017 alone—and 74% involved identify theft of customer and employee data. 

In the event that personal data you handle is exposed, lost, or altered incorrectly, GDPR requires organizations to notify the authorities within 72 hours. IT departments may resolve the technical side of data breaches, but it’s important for marketing to know how to handle it for two reasons:

1) You make IT’s job a lot easier by mapping out your own data processes.

2) You have a public image to protect.

Together with your IT and legal departments, draft a response plan for how you will notify the authorities and the people whose data was breached. Don’t wait for a customer, prospect, or employee to be inevitably upset—be proactive and open about what happened, and begin rebuilding their trust from the very beginning. 

Achieving GDPR compliance on your website is a cross-departmental effort. Ready to get other teams on board? Download the free e-book, GDPR: Working Together for a Compliant Website, for a collection of tips for web, IT, and marketing teams. 

Download the E-Book

Read more about Siteimprove Data Privacy here.