What you need to do to be GDPR complaint
Disclaimer: The information in this blog and White Paper is provided for general informational purposes only. No information contained within should be construed as legal advice from Verticurl, nor is it intended to be a substitute for legal counsel on the subject matter.
Our previous blogs talk about who needs to be GDPR compliant as well as the ambit of GDPR. This article will focus on how an organization can become GDPR compliant.
Step 1 – Audit of all your existing data acquisition and management processes to identify gaps.
-
Data Acquisition
Is the permission acquisition process GDPR compliant? Across all channels of acquisition? Are you recording the date, source, and purpose of permission acquisition? Where is this permission information being stored? Is it easy for contacts to come and check/update their permission and profile? Have you updated the permission status of all existing contacts in your database so that their permission details are also GDPR compliant? Is this applicable to all personal data, especially those which uniquely identify a person? What profile data are you acquiring and why? Is any of this data sensitive? Are you being extra careful about contacts who might be minors? Where is all this data being stored?
-
Data Management
- Can you provide all details that you have about a contact to them, upon request?
- Can you comply with a request to delete all their details from your systems? Can you ensure that this deletes their information from all the systems?
- Can you comply with a request to stop processing the details of a contact, upon request, especially if it uniquely targets them? Can you stop any email/cookie/activity history-based retargeting campaigns? Can you stop their details from being processed?
- Are you using a vendor or technology provider who has access to this data? Are their processes and systems GDPR compliant?
- Are you using steps like anonymizing data or pseudonymizing data to prevent a contact from being identified?
Step 2 – System and Process Update
-
Implement processes and systems to ensure that you are GDPR compliant.
-
Design a GDPR compliant permission center. Ensure that this center has access to all channels of data processing and engagement so that you can control any processing steps or campaigns upon request.
-
Design a data repository such that all information about a contact can be easily accessed.
-
Create documentation about data flow between systems. Ensure that the flow anonymizes/pseudonymizes the data wherever possible.
-
Create rules and processes for your vendors and system providers to follow, so that they are also GDPR compliant.
-
Deploy a Data Protection Officer.
As you can see from the above points, getting GDPR compliant can be a pretty involved process. If you need help, please contact us so we can run an audit for you, and then create and implement a plan to help you become GDPR compliant.
Please send a request on enquiry form to receive our Whitepaper on GDPR to get more details on this topic.