If you’re grappling with ensuring your organisation comes to terms with the customer experience-related requirements of the GDPR and new Data Protection Act and have been following the advice in these weekly blogs, then by now you have probably had lots of conversations, filled a few white boards and even changed some processes and customer journeys.
One of the 8 rights of data subjects (that’s prospects and customers to you and me) is that of Data Portability www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/
In simple terms it requires that you support and allow the easy transfer of the personal data you hold on a data subject to a new service or product provider on their instruction. This right has generally got less coverage in the lead up to the implementation of the GDPR and new Data Protection Act than two other closely related rights – to Erasure (to be forgotten) and the right to Access (Subject Access Requests).
The Right to Erasure is one of the 8 key rights for data subjects enshrined in the GDPR and the Data Protection Bill (www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/). If you are responsible for ensuring both data protection compliance and a good customer experience, then how to manage the right to erasure – more commonly referred to as the right to be forgotten – needs to be high up on your list of GDPR challenges to address.
…but there can – and must – now be a free download.
Over the past few weeks we’ve identified a lot of tasks and questions for you to consider as you chip away at preparing for the GDPR and the new Data Protection Act. The amount of work or change these ‘bite-sized’ activities are likely to lead to will vary greatly from organisation to organisation.
However, if your firm’s marketing and acquisition of new prospects with future marketing permissions is heavily dependent on online content downloads (white papers, guides, infographics, etc) then the requirements of the GDPR may have a radical impact on you.
Will the GDPR hasten the demise of the big tech platforms?
The digital platforms have offered direct marketers a great alternative to traditional channels and activities. Now brands can identify, communicate with and sell to consumers through and with the help of Facebook and the others.
However, the brands and their digital agencies are operating in the platforrms’ closed worlds, according to their rules. And now the rules could be about to change…
Right, it’s whiteboard or flip-chart time again! Round up the usual suspects – sales, marketing, data and CRM heads, proposition owners, customer experience, technology – and get them to answer a couple of questions:
1. What customer personal data do we (or have we in the past) capture?
2. Where’s that personal data held?
Most organisations that are commercially driven and looking to acquire and develop customers will be focused on adults. So that probably also applies to you, but with some significant variations dependent on the sector you’re working in. As far as the GDPR and the Data Protection Bill that’s making it’s way through Parliament are concerned, no-one under the age of 13 can provide consent (which if you are planning to market to them is your most likely basis for processing their data). And for under 13s their parents or guardians should be responsible for providing consent – with exceptions for specific services like counselling, etc.
As the last two weeks’ pieces of guidance about preparing for the GDPR and new Data Protection Act have been quite dry – looking at contracts and insurance – this week you can have some light relief.
As you know, by now, this weekly series of brief, specific pieces of guidance around preparing for the GDPR and new Data Protection Act is primarily focused on organisations’ customer acquisition, retention and service activities.
But that doesn’t mean there aren’t lots of other things to focus on. An accidental or malicious data loss through a cyber breach could be extremely damaging – even ruinous – both financially and in terms of reputational damage.
So, how did you get on with writing your list of clients and suppliers involved in your ‘personal data infrastructure’ (your task from Week#5)? Odds are it’s quite a lengthy list. Every one of these organisations needs to ensure that their contractual roles are clearly defined ready for the GDPR and new Data Protection Act. The ICO issued its guidance some time ago (www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/) which is pretty self-explanatory and essentially says that the one thing both processors and controllers can’t do without in future are clear, explicit contractual terms on which to process personal data.