5 Things to Prepare for GDPR

Editor’s Note: With less than 30 days until implementation, we’ve outlined what we see to be the five most important things your brand can be doing to prepare for the EU’s General Data Protection Regulation. While this list is not inclusive of everything you must do to be GDPR-compliant, we think it’s a good start and probably the best way to kick things off if you haven’t already.

This article does not constitute legal advice. I’m not a lawyer. And I’ve never played one on TV.

Want to know, unequivocally, what you need to be GDPR compliant? Qualified, expert legal advice. If you go hire an EU-based privacy lawyer at this very moment, you get a pass on reading the rest of this article. You’re welcome.

Here is a recommended starting point:

If you’re seeking legal advice, a Google search will bring no shortage of options. Definitely do your due diligence, though, and go with a top tier firm that has helped other companies reach compliance.

If you’ve not yet hired a lawyer, please continue reading. You may also want to dive further into GDPR with our recent white paper, where I’ll once again berate you about hiring a lawyer.

Suggested Reading: PMG’s EU GDPR White Paper

I know, this sounds awful. It isn’t that bad, though.

Allow me to make the case for reading all 99 pages of the GDPR. I find scare tactics to be very useful for all privacy-protection topics, so let’s go with that.

Organizations found to be in violation of GDPR are liable for up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. Translated to American, that’s a lot of dollars. Moreover, if during the investigation, GDPR enforcement authorities uncover negligent levels of preparation, the penalties will be steeper than were the organization in question to have exerted a notable effort to achieve compliance. In summary, reading the text and making a real effort could potentially save your ass. I don’t know of any readers of the PMG blog that shoot for mediocrity, though, so that’s the end of the scare tactics.

If nothing else, at least read the sections that are most pertinent to your organization. If you’re a controller, my smartass advice is that the entire thing is most pertinent. So read it. But in reality, you need to understand, at a minimum, these six sections:

Article 6 – Lawfulness of processing

Article 7 – Conditions for consent

Chapter 3 – Rights of the data subject

Article 24 – Responsibility of the controller

Article 32 – Security of processing

Article 40 – Codes of conduct

Why are you gathering data about customers? What’s your end purpose for that data? These are things that you have to have clearly mapped out before ever thinking about the “how” aspect of GDPR.

Having seen behind the curtain of many enterprise data-collection practices, the general theme reminds me of the show “Hoarders”. Many organizations, enabled by absurdly cheap data-storage costs, shoot for quantity over quality, chasing the ever-elusive and wholly-unrealized mastery of “big data,” the king of resume buzzwords. In reality, I don’t think there’s a company on Earth that could effectively derive a competitive advantage from the knowledge that I once purchased a pair of pleated khakis in 2002 and provided the cashier with an aol.com email address.

We don’t really need all of the data that gets collected; in fact, I’d make the argument that the complexity and confusion surrounding burgeoning customer files, tag fires, and attribution logs actually serve as more of a hindrance to effective data utilization. Throw a tightening regulatory environment into the mix, and things start to go sideways.

Maybe take this as an opportunity to simplify some data practices… just a thought.

Stepping off my soapbox, clearly articulating the why behind the existence of any single piece of data is important, simply put, because it will soon be illegal not to do it. The prescribed uses are critical to the “how” phase of GDPR compliance – controllers are required to communicate such uses to data subjects in the process of gaining consent.

Personally, I would much rather define the explicit uses for five pieces of personal data than for a few hundred. Cutting out a lot of superfluous data will make all manner of regulatory compliance easier in the future, but it should also help your org to do more with less.

Once you’ve got a clear picture of the data you gather, how you gather it, and for what purposes you gather it, you’re ready to begin implementing the changes required by GDPR to ensure the rights of natural persons.

Most broadly, this means gathering consent and enabling data subjects to exercise their rights with respect to your custody of their data. We explore lawful consent and guaranteed rights at greater depth in the PMG GDPR white paper.

Suggested Reading: PMG’s EU GDPR White Paper

Functionally speaking, though, here are the things you’ll need to support those requirements:

A method of gaining consent from customers that is easily understood and outlines all uses of the data being collected.

An equally simple method of revoking consent.

An interface that allows customers to make requests for other actions to be taken with their data. This will require some more extensive work on the back end.

A way to ensure that your partners, which have access to personal data, provide the same level of protection and features to ensure data subject rights.

While we don’t offer legal advice on GDPR, making practical recommendations around preparation is an area where we can help. PMG is great at taking complex, suboptimal systems, distilling them to their simplest components, and refactoring them to work toward a desired outcome. That’s really what lies at the heart of preparing for GDPR.

It’s important to understand, at each phase of data collection and activation, who touches the data that doesn’t live under your roof.

Are you running outdated display partner tags in a floodlight? Is your tag management container open to the world with a single login? Does your point-of-sale system run through third-party servers? Are you buying additional data about existing customers from someone like Experian? Do you utilize any infrastructure services, like AWS or Google Cloud? Do you have a data management platform streaming a wealth of personal data by the minute? Do you send customer data out to third parties for email or direct-mail marketing services? Is your office buzzing with management consultants that need access to all sorts of customer data? Do you have a third-party CRM system like Salesforce?

The series of discovery questions could go on for a very long while. Rather than tailoring a solution to each of these scenarios, it may be easier to approach partner auditing for GDPR compliance like an elimination diet. Define an information security management system (your IT leaders should have an opinion on this) that fits into some sort of data protection paradigm, e.g., ISO-27001, SOC2, EU-US Privacy Shield, etc…

Once having defined the new minimum requirements that your organization demands of its partners, begin to take an individual look at each contract to see if it’s serviceable. If not, it goes in the naughty pile and data access is revoked from that partner until they can come up to speed.

Naturally, this will take your organization much longer than the time left until GDPR goes live. The good news, though, is that organizations that can demonstrate a concerted effort in this area will be granted greater leniency in the event of a GDPR violation.