SMARTe is not a legal expert and not an authority to provide an interpretation of the GDPR or any other regulation. This blog is for meant for only discussion purposes. We recommend to comprehend an independent advice of a qualified legal counsel on how GDPR or any other data law impacts you or your business.
Are you already #GDPR compliant? OR Are you on your way to become GDPR compliant? OR Have you finally decided that you have to get GDPR compliant? Well then here are some pointers for discussion and how SMARTe can help you comply with GDPR consented data.
A major survey sponsored by international law firm McDermott Will & Emery and carried out by the Ponemon Institute has revealed that 40% of companies only expect to achieve compliance with the regulation after the 25th May deadline. We tried to list down some best practices to consider. The idea is to see if you are on track or what the immediate steps you should take.
The General Data Protection Regulation (GDPR) is an innovative amendment in Data Protection and it will set a standard for Data Protection regulations globally. GDPR has two key areas which are most influential – Accountability and Enforcement.
Accountability – It defines as one of the key principles wherein it makes you responsible for complying with the GDPR and signifies on building practice to be able to demonstrate your compliance.
Enforcement – GDPR mandates for member state to set up Data Protection Authorities (DPAs). Their task is to monitor and enforce the Regulation and protect the fundamental rights of individuals. In terms of violation substantive penalties will be applicable to organizations who cannot adequately evidence compliance with the GDPR accountability principle.
- Begin with a GDPR Readiness Program Team
The first phase of GDPR compliance is to consider all the necessary activities for GDPR readiness for your organizations. It starts with obtaining a buy-in from management and executives teams along with key stakeholders responsible for the success of the GDPR program. The next step would be to build a data team which should consist of core responsible stakeholders who use company data. The team should focus on maintaining the reliability and protection of your prospect data. It is also significant to identify and educate other relevant stakeholder groups like Customer Relations, Human Resources, Marketing, Procurement, Systems Development, IT, Information Security, Legal, Risk, and Compliance across your organization.
- Identify and assess your relevant Data Practices
Once your GDPR program team are in place with clear goals outlined and key milestones defined along measurable objectives set it is important to know all the relevant key business processes and recognize the information flow like (collection, processing, storage, and transfer) of the Personal Data associated with those processes.
- What all prospect and customer data do you collect or capture?
- Where do you store the collected data?
- What are your major sources of data collection –Website, Tradeshows, Third –party data providers?
- What is the perseverance and the intent to collect prospect and customer data?
- How does the data flow across the organization?
- Who all apart from identified key stakeholders have an access to data across the organization
- What security measures are being implemented to secure the data?
- Data Protection Practices when you store data in CRM or MAP
All the marketing activity data is usually stored in either CRM/MAP and in many organizations, it’s a bilateral push of the data. It is important to know if your CRM/MAP vendor knows how to protect your customer and prospect data. It comprises of access controls, regulatory compliance, information and application security processes and tools. In addition, discover if any existing functionality that may be helpful in preserving your data. This might include roles and permissions of users, history of user activity and/or data updates, and the ability to enable/ disable automatic data capture. You should also document the flow of data all over your systems to know what and who has access of the data.
- What kind of Data is collected?
Everyday, a lot of data gets collected and stored in your database through various sources and gets stored in your CRM / MAP. It utmost important to know what type of data is being collected and stored within your database. When you are compiling or processing the data, you need to know if any sensitive information is being captured in your data. Personal information can be defined as person’s name, surname, phone numbers etc. It is an information clearly identifiable particularly about the person.
Sensitive information is specific information that reveals –
- Government ID and financial account numbers
- Health, genetic, and biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation or preferences
- Genetic Data
- Trade Union Memberships
When it comes to B2B sales and marketing usually they do not collect or process sensitive personal information. However, if you do possess any of the above-mentioned types of data on your prospects or customers then your legal obligations to obtain consent and to protect the security of that data are much higher under the GDPR.
- Ongoing Database Health check plan
Once you get familiar with the data and how that is collected the next step would be to develop a policy for your data practices plan for compliance. Your data protection plan should focus on how data is gathered and stored along with notification requirements and uniform practices across the organization. Your purpose for which data will be used should be clearly defined along with, practices for updating data and purging old data, and security practices and procedures.
How does SMARTe address GDPR?
SMARTe as a data processor is committed to GDPR compliance with required changing regulations while leveraging Data As A Solution sales and marketing intelligent platform.
SMARTe’s business model processes only business records information for EU contacts like company, job title, work email address, work phone number, etc. We do not source, collect or provide sensitive personal information like e.g. health information, political or religious ideology, internet search history, etc. We simply provide information which is typically found on a business card, an email signature block, or a public professional profile.