So you’re a Brand Manager or Creative Director and in the middle of a meeting someone has mentioned ‘GDPR Compliance’. You may know by now that it’s nothing to do with Gross Domestic Product, but is the General Data Protection Regulation something you should be seriously concerned about?
A lot of people might say that “it’s an IT issue” and move on, however the reality is that while the IT guys may have had worried looks on their faces for a while, the GDPR is far more business focussed than the previous Data Protection Act. Which itself was often misunderstood as being primarily IT focussed.
Process, documentation and no silver bullets
In reality, most of the GDPR is centred on processes and documentation. There is no magic IT silver bullet which will make a company compliant. The GDPR comes into force in May 2018 so there is now only a short window of time in which to prepare.
There is currently a significant amount of confusion and scaremongering surrounding GDPR, with consultancy firms bandying around statements such as “non-compliance can result in a fine of either €20 million or 4% of turnover, whichever is higher”. Even a large agency would likely suffer significant financial problems following from a €20 million fine, while 4% of turnover is enough to make any CEO sit up and take notice. However, the UK’s supervisory authority, the Information Commissioner’s Office, has declared that it does not intend to use the maximum extent of its powers and initially is aiming to guide rather than coerce.
The same consultancy firms who are spreading the word around the scale of fines will, coincidentally, happily send a team in to produce a large quantity of paperwork to assist you in your compliance processes. In fact, many large corporates will have had teams in place for some time, looking at processes and creating documentation to try and ensure compliance with the GDPR.
Is there any guarantee of compliance?
The one thing that seems to be overlooked is that at this point there is no way to guarantee compliance. There’s no certificate, no audit process and no guarantee that what is in place is compliant. Further, from my discussions with former colleagues and customers, many of the current projects are being run as a head-office central IT team operation and the interaction with the wider business is slim to non-existent.
A lot of the guidance from the ICO is still in a state of flux as the ‘Article 29 Working Party’ continues to elaborate on the meaning behind much of the core legislation and how it applies in the real world. There are also, naturally, no existing cases of firms which have failed to comply – since the GDPR does not come into force until May 2018.
However, this doesn’t mean that if things go wrong, fingers won’t be pointed. So, what can you do and what should you know to be informed?
- There’s no need to panic. As mentioned, the ICO has suggested that the highest fines are unlikely to be levied and any initial non-compliance is more likely to result in advice than prosecution.
- Check what corporate programme is already in place. Everything may already be in hand. If you are reading this, however, that implies there has not yet been any (or sufficient) awareness training. In which case it would be worth asking what is being done and ensuring your enquiry has been recorded – for your own peace of mind if nothing else.
- Consider the information you hold in your team or department. The new GDPR definition of ‘personal data’ is somewhat broader than the previous one. If any questions remain then it is worth obtaining some advice. For example there has been discussion in infosec circles around how in Germany, IP addresses are being considered as personal data. The guidance given so far around the definition of personal data means that while the obvious examples (names and addresses) fall inside, so would something such as a list of job titles and salaries. Since there is generally only one CEO or Head of Department it is possible to identify the person via ‘association’ or ‘aggregation’. If you hold the personal data then it’s worth examining whether you really need it. If you do, then consider how to protect it as the GDPR places a requirement on the data controller to ensure “the existence of appropriate safeguards, which may include encryption or pseudonymization” (Article 6(4)(e)).
- Examine your current projects. Then attempt to determine whether they will be affected by the GDPR. This is especially important if you have any responsibility for marketing. For example, there is a window of opportunity between now and May to get your contacts database in order without running into the new GDPR ‘consent’ legislative issues. It will be harder to obtain consent for distributing marketing materials after May under the full compliance regime. Taking the time now to clean your mailing lists and contact people regarding their approval to receive communications will pay dividends in the second half of the year when you will able to continue your marketing campaigns unimpeded by compliance issues.
- Review your interfaces to other projects, programmes and departments. If you are capturing, transferring or receiving data then you may need to check how it is being used elsewhere. Protection of data is far tougher now so if you have captured the details of a HCP in order to invite them to a specific event, you can’t then pass that on to the central marketing team for sending out any other type of marketing. Equally, if you are receiving data from somewhere else in the company you should be certain that you can use it for the purpose you intend – a mass email to people who only gave their details for use in a clinical trial has more serious consequences now than in the past.
- Use the GDPR as an opportunity. It’s a chance to obtain funding from on high to clean your contact database, to renew your leads and prospects and to put in place a much more streamlined approach to integrating CRM, CLM and Event Management. Gathering consent compliant with GDPR is not a challenge for modern systems and done in the right way, such as from within your DSA during a call, does not have to be intrusive. Nor does the greater granularity of consent need to be a problem; being able to identify those HCPs who are keen to attend events compared with those who would prefer only minimal contact can help you to segment and focus your efforts in the most beneficial way. Building your DSAs to make maximum use of the power available will enable you to collect the necessary consents and data to not only comply but also to improve your marketing campaigns.
If you feel you would benefit from a more formal session on the potential impact of GDPR, why not take a look at our review of IT Governance’s GDPR accreditation? We’ll be providing further resources on the impact of GDPR, alongside the latest from Veeva and CLM development so sign up for our newsletter to make sure you don’t miss our updates.