Beyond Consent: What GDPR means for marketing-led organizations
Most mid-size companies I have spoken to about GDPR compliance mainly seem concerned about one thing — and that is seeking consent. Many of them are scrambling, reaching out to customers, asking to reconfirm their marketing information and/or to get re-permission for email marketing.
GDPR and CONSENT
And with good reason. The GDPR is mainly designed to protect personal data of private subjects of the EU. It is now imperative to seek explicit consent from respective individuals before using their data in any way. Automatic consent (pre-filled checkboxes), for example, aren’t allowed any more. Consent must be sought using unambiguous language. Also, remember that consent can be withdrawn by an individual at any time.
Not only that, separate consent is required for each type of activity you may intend to perform with their data. As an example, you will need separate consent for emailing them, calling them, and/or sending postal mail to a mailing address.
What’s more, individuals can also invoke their right to be forgotten — in which case you will need to purge their data or at the least, make it inaccessible except for specific cases such as issues of public interest, legal compliance and public health.
Think Beyond Consent
What many mid-size organizations fail to realize is that while it is clearly important that they not misuse their customers’ personal data for marketing benefits, a typical organization’s responsibilities under GDPR go well beyond that. In addition to requesting permission to use data, organizations must work towards protecting this data from all forms of a breach. Article 4, (12) from the text of the GDPR regulation says a ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
It is clear from the above that a personal data breach isn’t only an instance of misuse. Ransomware attacks, accidental destruction, data loss, and alteration of data can all have them fall afoul of GDPR compliance.
The simplest and the best way to comply is to have a solid data Backup & Recovery strategy. In fact, GDPR makes the case for Backup and Recovery procedures unambiguously. “Article 32, (1) — c states that “The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”
End User Data — It is just as important as any other
An often neglected area is organizational data that is in the hands of employees or end users. Remember that personal data belonging to customers, employees and suppliers can be stored anywhere, including on employees’ endpoint devices, such as their desktops, laptops, and mobiles. So, it is important that they be included in any Backup & Recovery strategy.
Protecting end user data has never been more critical. Several mid-size organizations don’t usually have an endpoint data protection strategy, and they should consider an endpoint backup solution if they don’t have one in place already. Preferably one that can use cloud storage for the backup repository. In fact, it is a good idea to look for solutions that can leverage cloud storage the company may have already purchased for their end users (like OneDrive for Business or Google Drive).
Additionally, GDPR strongly advises pseudonymization and/or encryption of all personal data. Organizations will be well served in considering a solution that can ensure security and privacy by encrypting files with a clear segregation of duties. Proper segregation of duties ensures that the organization, as the data owner, controls the encryption & decryption keys, and not the cloud or software vendor.
GOING the whole Nine Yards
GDPR is more than just about consent-seeking for marketing purposes. Until now, most of the focus on GDPR, and the lawsuits that have resulted since it came into effect, have been around how organizations need to be careful about email marketing, be careful about what they send customers, and how to ensure they have obtained consent etc. But consent to collect and use personal data is just one of the steps towards becoming GDPR compliant. GDPR compliance is a continuous process and may many times require an organization to change their practices and methodology around how they manage data.
Remember that GDPR is as much about keeping data and the data storage environment safe as it about using data in a compliant manner.