1. Make sure data officers know where and how you collect data
The new rules mean you really need to have people with specific data handling responsibilities. One of the first challenges for people in these roles will be finding out where everything is. If our early conversations with people with these new responsibilities are anything to go by, most of them face an almost impossible task. If you want to be compliant your organisation will need to support them.
2. Check terms and conditions around consents
This is definitely an area where specialist legal advice is a good investment. As an example, for e-commerce businesses, it could be the difference between having the right to store historical transaction data, which is invaluable for forecasting.
Under the new rules, consent needs to be specific even for organisations targeting businesses rather than consumers. Legal advice is particularly advisable on definitions of “reasonable interest”, which are woolly at best.
3. Audit processes of ALL software and service providers
Think of the GDPR regulations as almost being like a joint venture in violent crime. Every component that makes up an overall web solution needs to be compliant otherwise, you could all get in trouble.
Obviously, GDPR compliance means different things to different organisations. What we are advising is that you should open conversations about what they have done in order to adhere to the regulations. If the answer is fuzzy you've probably got a problem.
4. Streamline data subject access requests and revoking of consent
These are the areas which could lead to lots of business disruption.
Process design is part of the equation, but there's also a lot that can be done online to minimise the effects of people requesting to be forgotten or asking for a copy of their data. The new tools in Kentico V11 will help in this regard, by tying consents to their contact management system which can be integrated with CRM and ERP records.
5. Data/Privacy by design for all major updates
It will be difficult for lots of organisations to get their heads round specifying journeys for customers to disengage, but the new rules stipulate that it must be “as easy” to revoke consent as it is to convert in the first place.
A talk I saw by Saul Gowens from Websand, demonstrated that losing subscribers isn't necessarily a disaster. Some unsubscribed customers actually continue to buy. There's also the common sense argument...wouldn't you rather have a smaller database of engaged customers than a large pool of slightly irritated and disengaged people?
6. Consider extending CRM and ERP integrations
Yes, integration projects can be tricky and take time, but closer bi-directional integrations might be the answer to most of your problems.
The main reason to do this is to give you a single point of user data, making it much easier to administer consent changes and to access a full data record in the event of data subject access requests. Our webinar on SPUD below might help you to think about how this could be implemented if you're struggling.
Subscribe and stay up to date with the latest industry insights, receive great tips and how-to's, through our monthly newsletter.