Here's how Irish companies can prepare for the GDPR

By Ian Blake on 26 January 2018 at 17:26:17 GMT


It’s fair to say the marketing landscape has changed since the first European Union Data Regulation was put into motion 23 years again in 1995. 

Back then, smartphones didn’t exist, WiFi networking was not publicly available, and it cost $1120 to store 1gb of data. Customer contact details and targeted email lists would have been stored on central company servers, but a lot of B2B marketing data was still held on paper.

Although updated since, the legislation has not kept pace with technology – or the latest B2B marketing practices. The falling cost of storage, advent of always-available email and messaging apps, and enhanced tracking technologies, means that businesses are now collecting and storing information in volumes that would have been unimaginable in 1995.


Businesses are now collecting and storing information in volumes that would have been unimaginable in 1995


The new General Data Protection Regulation (GDPR) has been designed to take account of these changes, and to give individuals greater control over their personal data.

Low cost computer storage encourages businesses to hold B2B marketing data for longer – but this doesn’t necessarily benefit individuals.

By introducing stiffer penalties for non-compliance (a data protection breach fine can reach €20m or 4% of global turnover), companies have a massive incentive to overhaul their data collection policies and to protect personal data.

GDPR_data_process_body

How does GDPR affect my business?

First, GDPR is non-negotiable. Every business that processes or stores data belonging to EU citizens is bound by the regulation – including those based outside the European Union. As such, Irish businesses cannot ignore their responsibilities. The Data Protection Commissioner will take a dim view of any business trying to excuse non-compliance with pleas of ignorance.

To fully understand your role, you must first understand whether your business is a data controller, a data processor or a combination of the two.

A data controller is any individual or organisation that collects citizens’ data, and who determines how it is used. In relation to B2B marketing, this would be the brand.

A data processor carries out data-related activities using that information on behalf of the controller. An example would be your hosted CRM or email marketing platform.

If your sales department collects personal information that is then used by marketing for campaign purposes, your business would be both controller and processor.

Both processors and controllers have a duty to protect EU citizens’ data. The details of each role can be found on the Data Protection Commissioner’s website.

Legitimate interest - justifying the b2b marketing data you store

Under GDPR, your business must be able to prove customer consent for collecting, storing and using their personal information. This is known as legitimate interest. In most cases, businesses should be able to justify holding data belonging to existing customers as legitimate interest for instance.

Your team will need to carry out an audit of both the data you store, and how it is collected. You must consider:

- What information have we collected about each individual?
- What is our relationship to that individual?
- Do we have a legitimate reason for holding that individual’s data?
- Where is that data stored?
- Who has access to that data?
- Are our data collection processes GDPR compliant?

This data protection audit is fundamental to understanding current levels of compliance, and for planning how to improve data collection and processing in future. Larger businesses may consider appointing an in-house Data Protection Officer to oversee these efforts.

Delete outdated/irrelevant customer data

Immediately after conducting a data protection audit, you must begin the process of removing non-compliant data. Any detail for which your business does not have a legitimate interest use for should be deleted immediately.

Under GDPR, this information must be made unrecoverable – simply sending old customer contact details to cold storage archives will not meet your obligations. It must be removed completely and permanently from your systems.

If you do want to resurrect this information or hope to use it at a later date, you must contact the individual and seek GDPR consent.

Ensure you can access data in cold storage

Do not limit the scope of your data audit either. We tend to think in terms of the data we can see, available in the customer relationship management system or similar. But there are generally several copies of every record, past and present, stored somewhere in your business.

Computer backups, particularly those stored in off-line tape archives, are a treasure trove of historical personal information. They are also covered by GDPR, so you need to be able to demonstrate legitimate interest for this information too – even if the tapes are rarely/never used.

You may have to liaise with the IT manager to ensure that archive B2B marketing data can be recovered (and deleted) within a “reasonable time frame” should a client submit a “right to be forgotten” request. Although the GDPR legislation is not clear on  how long this “reasonable time frame”, the general consensus is 30 days from receipt of a request.

And don’t forget – GDPR extends to your old paper files too.

Build GDPR-compliant B2B marketing data collection and retention processes

With management of existing data under control, attention turns to how it will be collected in future. The rule of thumb should be to collect and retain as little personal information as required to perform the specific activity you have in mind.

Importantly, marketers cannot assume implied consent for new customers. Soft opt-in is no longer an option, instead you must seek genuine opt-in where the contact confirms that they do want to receive your messages. To ensure that there is no question about legitimacy, you should seriously consider implementing double opt-in when building an email list, forcing each individual to confirm their intentions twice.

Also remember that data should not be held for any longer than is required. Just because a customer opted-in several years previously does not implicitly mean that they expect you to retain their data forever. Consider periodic reviews of what you store, and potentially even asking customers to re-opt in on an annual basis too.

GDPR also provides the right to individuals to ask to have their personal information deleted – even in a B2B scenario. Your data audit will have identified where this data is stored, it is then a case of deleting it permanently.

Working alongside the IT manager, you should create a process to fulfil each request quickly and effectively, and to create the necessary proof that the data is gone. Building a process now will make the task quicker and more efficient for when you do begin to receive opt-out requests.

Changing the way you think about B2B marketing data

The new General Data Protection Regulation is really just the latest refinement in EU data protection laws, intended to give individuals greater control over their own information. Any business already complying with existing data protection legislation, should already be at least half-way to GDPR compliance.

One of the biggest changes that the new law will cause is in the way Irish marketers think about data. Ultimately, your permission email marketing database is not yours – you have simply been given permission to contact those people. Information collected by your business is not permanent either – individuals can ask you to delete their data at any time, even if they are confirmed members of your double opt-in email list.

If marketers can grasp this fundamental change in mindset, other GDPR related challenges will be much easier to overcome.

[Please note: This blog is written from Squaredot’s point of view and understanding of the GDPR and changes to PECR (which is still in draft as of the publication date of this blog). Information herein does not replace qualified legal advice, and should not be taken as such. Please consult with legal experts and/or the Irish Data Protection Commission for any controversial questions. For everything else, we welcome your thoughts in the comments section below!]