Preparing for EU GDPR

The four letters on everyone’s lips this spring will definitely be: GDPR. This quick guide will help you get ready for the EU General Data Protection Regulation. Here you’ll find all the essential information and supportive material to get you ready for May 25th when the regulation steps into effect.


GDPR in short

  • The European Union’s new data privacy regulation, that governs the individual’s right to privacy
  • Applies to companies and organisations that collect or process data
  • Governs the gathering and processing of personal data, meaning data directly linkable to an identifiable person
  • Pushes towards a more secure and transparent manner of processing personal data

What do you need to know?

GDPR contains these three key themes:

  • Transparency, fairness and lawfulness
  • Security by default and by design
  • Fundamental rights of the individual

 

For you to be GDPR-compliant, check that you’ve got these themes covered!
In a nutshell, you should prepare for compliance on three different frontiers:

  1. Communicate what you do in an open and transparent manner to your customers.
  2. Ensure you handle personal data in a secure manner, and document it.
  3. Make sure you can adhere to the fundamental rights and are prepared to answer to requests you might receive from your customers in the future.

Transparency, fairness and lawfulness

As usual, it’s about communication! One of the GDPR objectives is to cast more light on how customer data is used, so be open and honest about your data usage.

Make sure your external communication is up to GDPR-standards and formulate a specific privacy statement explaining how you process customer data, and for what reason you collect it. The privacy statement must be available on your website, or easily reachable by your customers. As a minimum, the statement should include information about:

  • What data you collect
  • Why you collect it
  • How you collect it
  • How you and any potential 3rd party partners process the data
  • Who are the 3rd party partners
  • How long you store the data
  • How the customers may reach you if they want to discuss GDPR-issues further.

To promote transparency, also add information about your customers’ fundamental rights, so they know what they can ask of you. Challenge your communications team to write the statement in a clear and easily understandable fashion; if your grandad understands it, you’re well off!

In addition to a privacy statement, you’ll have to collect specific consent from your customers to be allowed to communicate with them: they need to actively grant permission (no pre-ticked boxes!), and they need to know what they consent to. The permission statement should be separate from the privacy statement, and from the general terms & conditions, and it should be clear, specific and as short as possible.

Remember that your consent statement should cover all the usage scenarios you have for the personal data you collect: if you ask consent for one campaign only, you are not allowed to use the email addresses collected in relation to another campaign! So think ahead and start planning: what is your strategy for marketing automation, what do you want to use the data for?

Once you’ve got the consent, make sure you’ve got it documented, and that the data you collect gets deleted eventually. So plan how you start your data collecting, and also consider how to delete the data once it’s not needed anymore (and when won’t it be needed anymore?).

One last advice concerning permission collection is, that consent should be as easy to revoke as it is to give. So, make sure you’ve got a clear and well-functioning setup in place for people who do not want to be communicating with you anymore.

In conclusion, the requirement towards transparency, fairness and lawfulness pushes you to make plans regarding your customer-facing communication! Make a strategy for what you want to achieve, and build your communication setup according to it. Marketing automation is not made illegal by the GDPR, but it will become more difficult to just “whip up something”: those with clear long-term goals and a plan to achieve them will be successful also in the era of the GDPR.

Security by default and by design

Aside from well-planned customer-facing communication, your organisation must prepare for the GDPR by having a documented, secure data-handling setup in place. You might hold a lot of information about your customers, some of it being data that they do not want out in the open, so make sure you’re worth their trust by handling their data in a secure manner.

To prepare for this, you should have an Information Security Management System (ISMS) in place, which ensures your organisation follows the security by default and by design -principles. There are a lot of standards and guidelines to follow when creating an extensive ISMS. Agillic complies with the ISO 27001 standard, as it goes hand-in-hand with several of the GDPR-requirements and provides a comprehensive framework for organisation-wide information security programme beyond the requirements of the GDPR.

Look into different frameworks and choose the one that works best for your organisation. The important thing is that you have identified the weak spots and control them in the best way possible and that everything is documented. The documentation requirement is the key to effectively handle potential security breaches. The GDPR requires you to be able to act in a certain manner in case of a data breach. So, at that point, you should be concerned with crisis handling instead of frantically trying to document your security setup for the organisations working with you to handle the breach.

In addition to having your security setup documented, you should consider auditing it to verify quality. Agillic is audited by an external auditor regularly to ensure unbiased expert reviews of our ISMS. Our latest audit was carried out in December 2017, and we received great feedback from our auditors: the Agillic ISMS was said to “set the bar for other comparable companies”.

The key to a secure system is to make sure that

  1. your setup of collecting, transferring, processing and deleting data is secure, and
  2. you are able to demonstrate that security.

You don’t necessarily need to adhere to any information security standard, but it does make it easier to identify and cover all relevant security weaknesses. By following a well-established security standard, you don’t have to re-invent everything yourself.

You could begin by analysing your data handling processes:

  • Data collection: what is collected, when, how, why?
  • Data transfer: where does the data collected flow? Which systems (internal or by a 3rd party) do you use? Think of CRM, marketing automation, data mining, customer support etc.
  • Permissions to process data: do you have consent from your customers to collect and process their data? Can you prove it? Are the permissions specific enough
  • Data disclosing: be open about who you share personal data with, and be aware that you are responsible for data security together with your 3rd party partners. Ensure you have the relevant Data Processing Agreements (DPA) in place with your key service providers.

Once you know where customer data flows when it’s collected by you, you can start to secure your overall setup. Ensure that the 3rd party service providers you use are secure, and inform your customers about it.

If you want to hear more about the Agillic Information Security Management System, you’re welcome to contact us at contact@agillic.com.

Fundamental rights

As mentioned earlier, according to the GDPR, all EU-citizens, no matter where they reside, have certain fundamental rights regarding their personal data.

Make sure your organisation adheres to these rights:

  • Right of access
  • Right to corrections
  • Right to be forgotten
  • Right to request a pause
  • Right of portability
  • Right to object (profiling or all data processing)

The denominator for these rights is the need to have a process in place to effectively handle them, and you need to test the process to make sure it works as intended. You should also train your employees, so they know what to do.

Below, we’ve listed some tips on how to handle the different requests.

Right of access and of portability

The Right of access means that your customer has the right to know how their data is being handled by you (and your 3rd party partners), and how it is being secured. They also have the right to ask you to transfer all data you have about them upon request.

The same process goes for the Right of portability: it means that the customer has the right to ask you to submit all their data directly to another organisation, when possible. The data should be submitted as structured data.

 

A few important tips:

  • Remember to check the identity of the person requesting access to the data to avoid creating a data breach.
  • Check the rules regarding parents’ access to their children’s data: the parent does not automatically have right to access their child’s data

The data should be submitted in a machine-readable form and without unnecessary delay.

Right to corrections

The customer has the right to have inaccurate information corrected. Make sure the relevant employees in your organisation have the tools in place to correct any inaccurate information you might hold about a customer. Or better yet, create a “My profile”-page, where customers can edit their profile themselves.

Right to be forgotten

Make sure it is possible to delete all data concerning a person completely from your systems upon request. You should have an overview of all the systems you use to process data, in order to ensure you’ve deleted the data everywhere.

You should also ensure a way of double-checking the identity of the person requesting the deletion, in order to avoid people misusing this right.

Right to request restriction to data processing for a period of time

It is possible to restrict data processing for a limited time by adjusting recipient permissions.

Right to object profiling

Profiling means automated processing of personal data to evaluate certain aspects relating to a person. That could be the analysis of, for example, a person’s:

  • Personal preferences
  • Economic situation
  • Interests
  • Behaviour
  • Geographic location
  • Movements

If a customer objects profiling, consider communicating with them in a more general manner, without using profiling functionalities. 


If you follow the instructions and advice given here, you will be well-prepared for GDPR. You are always welcome to contact us in case of questions or concerns about the GDPR and Agillic – we are here to offer you a secure Marketing Automation solution, that enables you to be GDPR-compliant.