Think quick: Are you ready for the GDPR?

If your first thoughts were “no,” or “I don’t know,” (or even “What is GDPR?”), the good news is that you’re not alone. Many companies simply don’t know enough about this new regulation, and what they need to do to prepare now.

To help, we wrote this article to provide a general overview of the GDPR and how it could affect your organization. We also give you a checklist of many actionable tips and strategies you can follow to begin your GDPR preparations now.  Disclaimer: When considering how to deal with issues of a legal nature, we always advise consulting with qualified counsel.  You should not interpret these tips to be substitutes for real legal advice provided by your legal department or outside counsel.

If you’re looking for information about what Liveclicker has done to achieve compliance and how this benefits our customers, you can find it in this blog. (For all of this information, all in one place, please request Liveclicker’s GDPR Overview document from your Liveclicker account development manager or sales rep, as appropriate. )

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation that is intended to strengthen and unify data protection and privacy controls for all individuals within the European Union (EU) by mandating stricter data collection and storage practices.

GDPR will be legally binding and enforceable beginning May 25, 2018 and will have costly penalties for those companies that fail to comply. For example, any organization that has a presence in the EU or the UK could face a fine of €20M or four percent of total annual revenue (whichever is higher) for non-adherence to the core principles of processing personal data, infringement of the rights of data subjects, or the transfer of personal data to countries or organizations that do not ensure an adequate level of data protection.

If your company does business with citizens in the EU, the GDPR could definitely affect your organization. Yet the GDPR is not just a concern for organizations based in European countries. For example, U.S. laws now allow EU countries to create class-action lawsuits against U.S. companies, which may have to be defended in each country. Additionally, 29 U.S. states now have similar laws and can impose fines within 30 days of a breach where personally identifiable information (PII) is lost or exposed.

If your organization collects email addresses from EU citizens or sends commercial email messages to EU citizens, you could be at risk.

As a result, understanding GDPR – and doing all you can to prepare – is vital to make sure you’re in compliance.

A GDPR checklist: Follow these steps to achieve compliance now

According to the GDPR, any company that collects data on EU citizens (such as email addresses) and decides how that data is used (such as sending email to EU citizens) is an entity known as a “Data Controller.”

If your organization is a Data Controller, you need to take steps to achieve compliance with the GDPR:

• • Audit your opt-in process. Marketers will need to be able to provide proof of opt-in and consent to data collection policies. Your email service provider (ESP) typically houses this data.
• • Examine your data collection practices. Marketers should understand what data is collected on EU citizens, including data collected by their ESP and other third-party technology providers like Liveclicker.
• • Update your privacy policy. If your organization is collecting data on subscribers that is not explicitly mentioned in your privacy policy, the policy should be updated to include all data that may be collected and stored.
• • State how consumer data will be used in “plain language.” GDPR requires the data collection practices employed by marketers to be easily understood by EU citizens. Specifically, GDPR mandates the use of “plain language” in data collection policies that are “easily accessible.”  
• • Be prepared to justify how your organization uses personal data. Under GDPR, organizations are only allowed to store the minimum amount of personal data necessary. You should be prepared to justify how your organization is using any data that it is collecting on email subscribers.  
• • Ensure consumers can delete any personal data your organization collects. Your organization must provide a way for consumers to permanently erase personal data that may exist within your technology infrastructure. This includes data that may reside within your ESP or with other technology providers like Liveclicker.
• • Audit your vendor contracts. GDPR requires specific language to be used when your organization passes data to third-party organizations such as your ESP or Liveclicker. Make sure your vendors are doing all they can to comply.
• • Designate a Data Protection Officer (DPO) within your organization. A DPO should be an employee of your company who is able to act independently to ensure that the company is adhering to GDPR standards. This person should be well versed in your company’s data collection, storage, and usage policies and systems and have a strong understanding of the GDPR text and implications.

We hope this information is valuable as you begin to consider and implement GDPR strategies that are right for your organization.

Find more information about what we’ve done to achieve compliance, how this benefits our clients, and ways you can reap the same benefits here.