General Data Protection Regulation
|
|
|
- Cody Wilkins
- 5 years ago
- Views:
Transcription
1 October 2017 Whitepaper General Data Protection Regulation What does it mean for you and your organization? Page 1
2 General Data Protection Regulation (GDPR) From May 2018, the General Data Protection Regulation, or GDPR, will be implemented for all organizations that do business in Europe. The GDPR is created with the intention of strengthening and unifying data protection for individuals within the European Union (this still includes Great Britain as well, at least for the time being). Not only large companies with many customers must follow the rules and regulations of GDPR, it is also applicable organizations such as administration offices, call- and data centers, accountants, IT and HR services. May 2018 might feel like a long time, but for a database to be completely ready to deal with these new regulations, it is closer than you think. To make sure companies are prepared for the rules and laws of the GDPR, it is wise to know what it means. What is GDPR, what does it mean for an organization and what steps need to be taken to be fully prepared? In this whitepaper, a special section can be found about marketing automation and what GDPR means for companies that work with these automation systems. GDPR, will be implemented for all organizations that do business in Europe. Page 2 Plauti BV
3 What is GDPR? The General Data Protection Regulation, GDPR, is a set of rules created to protect the personal information data of all individuals living in the European Union. Personal information can be described as all information that can be used for identification of a person. From May 25, 2018, all organizations that do business in Europe are obligated to follow these rules. The GDPR consists of two parts: the regulation, which is applicable for businesses and the directive which is created for government institutions such as police and justice departments The goal of the GDPR is to introduce new rules that apply for all countries in the European Union. The regulations are about the security and management of personal data of both customers and employees. Everywhere in the EU, companies are already preparing themselves for these new laws. The GDPR can be viewed as a renewal of the European law from 1995; the Data Protection Directive. The difficulty with that law, was that every member of EU interpreted the law differently which lead to fragmentation and haziness. In addition to that, the existing law needed to change to deal with the enormous amounts of data that come from modern developments such as cloud based solutions and social media. What is stated in the GDPR? Most of the principles found in the GDPR are already known today, there are however some important renewals focused around five main pillars. The GDPR influences everybody working with personal data of European citizens. Personal data is described as: All information about an identified or identifiable natural person. Besides the name, and date of birth, also remember that IP-addresses, license plates or the numbers on purchase orders can lead to the identification of a person. This means that addresses gathered for your newsletter are a part of the GDPR. The five pillars this new regulation is based on are: 1. Transparency Companies must inform (potential) customers about how data is collected and processed in an understandable way. This means that people that are not familiar with data and data collection still need to know what happens to their data. Companies can no longer use long, illegible terms and conditions, consent must be clear and distinguishable from other matters. In addition, it must be just as easy to withdraw consent as it is to give it. Also, (Potential) customers have the right to get confirmation as to whether personal data concerning them is being processed, where and for what purpose and the controller will provide a copy of the personal data, free of charge, in an electronic format. 2. Data portability (Potential) customers must be able to transfer their data from one provider to another. For example, to change their telecom provider. This personal data must be provided in a commonly use and machine readable format. 3. Right to be forgotten (or Data Erasure ) Companies must be able to erase all personal data about a person when asked for, even when the data is shared with third parties. These third parties must also be stopped to process the data. The conditions for erasure, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. Page 3 Plauti BV
4 4. Making notice of a data leak (or breach notification) Companies are obligated to make notice of a data leak within 72 hours, unless they can prove that the leak does not endanger the rights and freedoms of the gathered personal data of people. In addition, data processors are required to notify their customers, the controllers, without undue delay after first becoming aware of a data breach. 5. Privacy by design At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. To be more specific: The controller shall implement appropriate technical and organizational measures in an effective way to meet the requirement of this Regulation and protect the right of data subjects (the (potential) customers. Finally, there is an important change for controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. These organizations are mandatory to have DPO (Data Protection Officer) appointments. The DPO: Must be appointed on the basis professional qualities and expert knowledge on data protection law and practices May be a staff member or an external service provider Contact details must be provided to the relevant DPA Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge Must report directly to the highest level of management Must not carry out any other tasks that could result in a conflict of interest. Another major important factor, is that companies must to be able to prove that all these rules are respected and that they handle their data accordingly. If an organization is not able to show this, they risk receiving a high penalty up to 4% of their annual turnover or 20,000,000, whichever is greater. Good to know that the well-known term and law innocent until proven guilty is not applicable to the GDPR. GDPR influences everybody working with personal data of European citizens Page 4
5 What does the GDPR mean for your organization? Organizations that store data in datacenters or cloud solutions outside of the European Union, must prove that they meet the rules and demands of the new laws. In addition to that, they must report a data leak within 72 hours. Organizations that work with cloud based solutions such as Salesforce, can benefit from the innovations of this CRM system. Salesforce is known to be a cloud-based CRM system that is highly innovative. It already has rules, safety and security regulations that might help you with living up on at least a few of the GDPR rules When the rules from the GDPR are not respected it can cause a high damage in the company s reputation but it also results in a high fine. The exact numbers are hard to tell, but companies could be paying up to a maximum of one or two million Euros or two percent of the global yearly revenue. Besides just harder regulations and fines, the GDPR also brings benefits to companies. For example, there will be only one legal framework. Because of the different interpretations of countries concerning this topic, there were about 28 different frameworks and rules for data protection in the EU. With the GDPR, this is brought back to one general framework which is applicable for all countries. This way, it is a lot easier for companies to expand their practices abroad: there is no need for a lawyer or consultant to help finding out all the different rules about data which might save up to 2 billion Euro each year. In addition to those benefits, the GDPR also helps your organization to organize data management and to improve the quality and quantity of your data. As mentioned before, one of the pillars of the GDPR is the right to be forgotten. This means that when a customer asks your organization that all existing data and information currently existing in the database must be removed, you must remove it. All data includes duplicate data or data that is shared with third parties. If you want to be able to do this, your database needs to be clean and duplicate free. This will have consequences for your database. Everything needs to be checked, data must be cleaned or merged and a plan needs to be made to keep the database that way. This will therefore increase the quality of your data and will validate the quality and information of the existing records. GDPR also brings benefits to companies. For example, there will be only one legal framework. Page 5
6 How to prepare for GDPR As mentioned before, every company needs to be able to show how they manage the rules and regulations from the GDPR. To do so, it is wise to think about how your organization wants to start. Nobody wants to see their departments drown in a pile of paperwork and information and luckily, that is not necessary if good preparation is done. Preparation starts with defining how your organization is going to manage the data according to the rules of the GDPR. It does not mean that incidents can never happen, because they can, but that you make sure that incidents are always handled with care and accordingly. In order words: set the rules, implement these in your organization and make sure there is a regular check to make sure the rules are being lived up to. Of course, these rules and implementations can still work even when changes and innovations occur. Many organizations think that getting ready for the GDPR costs a lot of time and money, but it does not have to be that way. Fact is, it is nothing more than implementing a privacy management system which can easily be linked to an existing management system such as your Salesforce organization. The challenge, and therefore, the scope of the management system is clear: your customer does not want its personal information out in the open. Page 6 Make sure that a plan is created in which it becomes clear how your organization deals with personal information. Make sure to include a part in there about how your organization makes sure that personal information does not end up on the streets. When doing this, you already follow the rules of the GDPR. Bear in mind that when, for example, a customer has informed your company that it wishes to leave and that all their contact information needs to be removed, it must be taken out of all the existing systems including your marketing automation. Of course, it is important to inform your colleagues or employees about the new policies regarding data management and data storage and how they are supposed to work with these new rules and make sure to control this every now and then. Control can be done by conducting a test or by talking about the policies in performance reviews. Creating and implementing a privacy management system with rules and regulations from the GDPR is not done in a few weeks. It takes at least 2 to 3 months to finish, so make sure you don t start too late. Prepare yourself for the changes in 2017 so that in 2018, when everybody has to follow the new rules, your organization is ready. Many organizations think that getting ready for the GDPR costs a lot of time and money, but it does not have to be that way The abovementioned should already be enough for organizations to make sure their database is duplicate free and holds only complete, correct and relevant information. If not, the GDPR is a great motivation to start. As already described, the GDPR will set a whole new set of rules and regulations for handling data. These will have a direct influence on the use of marketing automation. The GDPR and marketing automation systems are close connected for obvious reasons. Marketing automation systems need data to function and without data, marketing automation has no benefits for an organization. This means that most organizations collect and save their data in these systems. The GDPR requires that companies inform (potential) customers about the way they collect data and how it is processed. The marketing automation system can contribute to providing this information by installing automated messages that inform (potential) customers from the moment they install or download one of your products. Plauti BV
7 The GDPR also requires that customers can transfer their data towards another organization and that they have the right to have all their data erased by the current organization. These two pillars are extremely important when it comes to the storage of data. It basically means that companies must be able to find all the information they have about their customers and erase all this information. To make sure no information is left, it is important that data is duplicate-free, complete and accurate. Especially duplicate data can be a big issue when it comes to the GDPR. When your organization thinks, they have erased all the information about a client, but it turns out there are six other records of the same client, it is difficult to erase all information. The same goes for data that needs to be transferred. How can your organization be sure the most relevant, complete and recent information is transferred when there are six records of one person? It is extremely difficult to do. Currently, the abovementioned is only a difficulty, but when the GDPR regulations become a reality, it is also illegal and fines are on their way. Read the whitepaper How to achieve Data Happiness to find out how you can make sure this does not happen to you. The last pillar Make notice of a data leak also becomes much easier when your data is in order. Most marketing automation systems automatically show when a data leak occurs. They are programmed in such a way that they will automatically send a signal when a data leak occurs. Recommended is to create a plan in which is described how your organization deals with data leaks. The best way to do that is to implement this in the data plan you are writing about how you are dealing with your data. Make sure that you do not forget to implement this part in your plan and inform your colleagues how they can detect a data leak and how they must handle when they notice a data leak. Every company needs to be able to show how they manage the rules en regulations from the GDPR Page 7
8 Usage rights There is one important part about data management that might make it more difficult to create these plans. As many of you know, plans only work when everyone in an organization handles accordingly. As mentioned before, it is therefore important that your entire organization is informed about the plans you made and that everybody is aware of their task. To do so, make sure everybody is aware of the usage rights. Discuss this with the administrators or management and determine the different rights of all users. It makes sense that, for example, an administrator can have more rights than a sales executive. Once these data usage rights are determined, make sure that the departments are informed about why the rules are set like that and how they should follow these rules. This helps in the prevention of data leaks and makes sure the information does not fall into the wrong hands. The usage rights also make it easier for everybody to know who they should contact for what question and who is responsible for what information. With that knowledge, it is easier to prevent leaks from happening. When leaks do happen, fixed usage rights also make it easier to locate the origin of the leak which can later help to prevent a data leak in the future. Usable data The last important part of the data plan is the usability of data and the duration of how long data should remain in a database. Try not only to follow the legal rules for data storage, but also consider your personal reasons for the duration of data storage. How long do you need to keep information stored and why? Is it wiser to get rid of information that already is 10 years old or that holds information about old customers? It might make your database a lot more insightful to remove that information. Because every organization is different, it is very difficult to determine how long data should last in a database. The only advise we can provide is to make it as easy as possible for yourself. Don t keep data you will never use again or are not allowed to use ever again. It will only clutter your database and makes it more difficult to make high quality reports and decisions. Very old data is often not usable either. You have no idea if the data is still reliable, if addresses still work or if the person you are focusing on is still working for the organization. We recommend to determine on a date or year which is set as a sort of valid till date. All data retrieved and unchanged before that final date can be erased. Make sure that everybody in your organization agrees on the set date and that it research is done to determine if this is the best date. Important to remember in this respect is that a solution like this might mean that you regularly should check and update the records in your database. For example, if you receive yearly donations, make sure the information from the donors is updated at least once a year. This way, loyal donors that are in your database for over ten years are not erased because their last update was within a year. It can be easily find out if the information is still accurate. Just ask your donors if they can check their details every year. It will just require a single but it might have a huge impact on your database. Page 8
9 Special: What does GDPR mean for (marketing) automation? The GDPR will naturally become highly relevant in digital marketing and the overall strategy and data management. It will also have a huge impact on marketing automation, the reputation and brand management. Therefore, we recommend that you make sure your Content Management System, Marketing Automation Platform and Customer Relationship Management system can work together seamlessly. Data strategy To do that, it is wise to create a clear data strategy. One that can be implemented in multiple departments and can be followed by everybody in the organization. This strategy contains information about how to deal with data coming in from multiple channels, how to work with data once it is in the database and how privacy and security are being assured throughout the organization. The strategy should be easy to understand for everybody so all departments can contribute. To create a data strategy, several steps need to be taken. The first step is to think of the purpose of your data. Where is your data used for and do you have all the information needed for that? Also, think about data that you might have but don t need: is it necessary to still collect that information, or is it more efficient to stop asking those details? Especially with the rules of the GDPR in mind. Start deciding which information you really need from your (potential) customers and get rid of all other information. This will make it much easier to find the right information about customers and allows your organization to work more efficient. The next step is creating data rules. Start writing a data plan with rules about the collection of data, the use of data and the storage. Introduce this plan to everyone in the organization and, if necessary, teach your colleagues how to work with the data according to these rules. Show them what is expected from them and why so everybody understands. Understanding will lead to more acceptance and better implementation. Third, you start cleaning the current database. Get rid of all duplicate records, complete all incomplete data and check if there is any information that does not need to be there or that is written with typos or spelling errors. This can be done manually, but be aware that there are many tools and applications that can help you do this a lot faster. Once all these steps are done, make sure that the rules are being followed as planned so no new duplicates or incomplete records will be created. This will help you guarantee a high data quality and validation of your records, both important conditions of the GDPR. Marketing Automation and the GDPR For marketing automation tools the GDPR has a significant impact. Most marketers basically do everything with their marketing automation tools. Most of the contact moments, or touchpoints, are generated from a marketing automation tool. In many cases, marketers have scheduled automated nurtures to stay in touch with their (potential) customers. In many cases, this gets activated when certain fields are filled in or based on certain algorithms, visited pages or downloads. In other words: it all depends on data. Page 9
10 How can Plauti help? Concluding to the abovementioned information; it is important to have your data sorted and clear, something we call Data Happiness. Plauti can help you create Data Happiness and help you get ready for the GDPR. Data transfer is one of the main pillars of the GDPR. It means that everyone has the right to transfer their data from one provider to another. If your customer decides to leave and needs all their data to be transferred, you need to make sure you have the right and complete information. This can be done by using Duplicate Check to find duplicates. Duplicate Check can identify and report on duplicate records in all objects. Even those with spelling errors or typos. It also finds duplicates between different objects. Once these duplicates are found, Duplicate Check can help merge them. The benefit of merging duplicates is that no information gets deleted but all data is placed in one record. With the information merged to one account, it is easy to transfer this to another organization. Plauti s other solution, Record Validation, can format and validate the records in your database. This means that all your records are standardized and set in the same format. Because of this, you are sure that the data is validated when it gets transferred to another company, so this company will receive real and validated data. Page 10 With the right to be forgotten, make sure that all information about a person is linked to that one person. This way, when it is deleted, you are sure there is no information left elsewhere. Because Duplicate Check can merge all information about a person into one record, it is safe to say that no more information of a customer shows up somewhere else in your database. With the data solution Record Validation, records are always validated. If this information is duplicate-free, you can guarantee that everything you know about a customer is deleted once the customers says it wants to be removed from the database. Use the application Duplicate Check on a regular basis to keep your database clean. Schedule jobs to find duplicate records and use the merge possibilities to merge them. Find, merge and prevent in a customized environment Both Duplicate Check and Record Validation can be customized to suit your unique Salesforce. Create your own personal strategy on how to identify duplicate records. Because of the many different features, applicable for different roles in an organization and the possibility to customize to your personal preference, everybody can work with our data solutions: from the CEO to receptionist. With a clean and duplicate free Salesforce, it is much easier to match the right information to the right person. This means you only should remove personal information from one location, the usage rights are easy to determine and a data leak is easily located. Create Data Happiness with Plauti
11 Plauti B.V Nieuwe Oeverstraat 31-9, 6811 JB Arnhem Plauti services Plauti BV Page 11 Page 11