Here are the essential tasks for a GDPR implementation project. You will want to change the sequence to suit your organisation but should look to check off each of these tasks.
Please note that this is not legal advice, which should be sought separately.
In larger enterprises or ones with deep profiling this person needs to have a direct to board reporting line
You will want to seek legal advice, particularly prior to and to validate your LIAs and PIA (see below)
It is recommended that key staff are trained on GDPR, including board members from the outset so that they are fully aware of the GDPR requirements and support the rollout
Identify the sources of the existing customer data and what fields / type of data is being kept, as well as the quantity, including: systems, CRMs, website platforms, ecommerce platforms, marketing platforms, spreadsheets, accountancy solutions etc.
Identify the quality of the data, and the specific permissioning of the data sets and individual customer data records
LIA is to identify where ... processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data ...
A Data Protection Impact Assessment, also known as a PIA, is an assessment to identify and minimise non-compliance risks, this needs to be firmly in place.
As part of the PIA and LIAs you should have identified all the customer data workflows, and either have identified which ones need changing or which datasets need to be removed, as well have having all the remaining ones being fully justified.
Identify which will be the core GDPR system where the customer GDPR permissioning is stored and available
Identify all the other systems which will contain data affected by GDPR and identify the data routing / workflows you will need to have in place
Identify all the changes in working practices and systems, along with the integrations that are required.
Ensure you have cleansed your datasets as far as possible prior to any re-permissioning campaigns.
Running ‘wild’ email re-permissioning campaigns is likely to affect your email / campaign deliverability, or potentially to have you suspended by some email service providers, and will affect your audience engagement. Cleaning up the data as far as possible in advance will minimise these risks.
Use online and offline means to re-permission, including 3rd party data bureaus and services, in particular prior to the 25th May. Ensure all marketing re-permissioning is against the specific GDPR grade permissioning statements and that all are fully audited.
Make sure that all customers can update their personal permission through an online preference centre. These then have to be distributed to all your internal systems and for all your customer data / marketing / sales workflows and platforms.
Also make sure that you have a cookie preference centre and proper control over cookie permissioning for non identified / permissioned users (this still requires legal clarification in the UK)
Identify and execute on all the technical API integrations and import / export workflows. Cease using the workflows / systems / processes which cannot be made GDPR compliant.
Ensure you create a data policy that is shared with all the staff.
Ensure that everyone is trained and aware of the new data policy and that it is part of any staff contract and onboarding process
Ensure you have a Data Breach Policy in place and make sure you have effective reporting workflows in place. You can see Affino’s here.
Ensure that your website and service Terms and Conditions are updated to be GDPR compliant. You can see Affino’s here.
Depending on how you are set up to handle personal data requests you will want to ahve in place a host of GDPR related forms, potentially inlcuding: Forget me, Send me my data, and Do not profile me. You can see Affino’s here.
Review your approach to Lead Capture and sharing. To be fully GDPR compliant, contacts whose details you are sharing (or selling) must have explicitly signed up to the third party’s company’s marketing / comms voluntarily (and un-bundled), and provided both permission and given you their preferences.
If your platform, like Affino SaaS, supports auto contact archiving then explore putting it in place to ensure that you only have the personal data in your database that you should have.
We strongly recommend insuring against GDPR related incidents. Note also that there is a high likelihood that you will need to update your working practices to be able to get appropriate insurance, e.g. 3 month enforced password updates for team members who have access to your CRMs.
Ensure that all the systems, workflows, and policies are continuously reviewed and updated, in particular when new processes and systems are on-boarded.
A key requirement is to have your GDPR implementation plan in place, and steadily reviewed and updated as milestones are hit. In the absense of full compliancy, having a plan in place is absolutely essential.
If you are an Affino user you will want to follow the Affino GDPR Help Guide. It is packed with useful pointers as to the exact steps and elements which are essential to being fully GDRP compliant when using Affino.
The ICO has two useful checklists as well, one for Data Controllers and one for Data Processors, see them both here, and if you want to see how Parliament is doing with shaping the legislation, now not due until the last minute ... see here
20 years of digital business experience with: Audi, BBC, Casio, Diesel, EMI, MasterCard, Rovio, UBM, UMG, and now Gill, Procurement Leaders, Briefing Media, Ocean Media, and IDG. Lead consultant for digital business transformation.
or Call +44 (0)20 3393 3240