You’re ‘on the case’ with GDPR. At a minimum you have fulfilled stage 2 of the ICO’s ‘Preparing for the General Data Protection Regulation (GDPR) - 12 steps to take now’. You know what personal data you have, where it came from, how you process it and who it is shared with.
Your Data Landscape Definition (DLD) is complete, but ever evolving in line with business change.
Much of the rest of the 12 steps is preparation. The implementation dependent upon industry guidance.
The ICO, in its blog of 31 October, advised “we’ll publish a revised timeline setting out what areas of guidance we’ll be prioritising over the next six months”. That expected November 2016.
Remember, it’s not your data
With GDPR comes accountability. Customer data is the lifeblood of marketing activity. Without your customers allowing you to use their personal data your informative or knowledgeable marketing activity would cease.
Important to remember is it’s not your personal data. You are the guardian of that customer’s personal data for the period of time that they have given you their permission to use in the manner that you have disclosed. That use in line with the principles of the GDPR. The customer will have entrusted you based on the information you provided to them.
I mean really understand the information you hold
On the personal data front, you need to understand whether you are holding:
sensitive personal data
keys or psuedonymised data that can be linked back to personal data within your eco system
An important part of then complying with the GDPR is knowing what permission you currently hold in relation to the use of that personal data along with when and how it was obtained. Further consideration if that personal data was sourced through a 3rd party.
Once that is known you will be able to determine whether or not it satisfies the GDPR requirements. A re permission exercise is likely, almost inevitable. A deletion policy will also likely be required. A suppression list likely where the data subject wants to be forgotten.
At the same time why not check out the overall quality of the data you are holding. Completeness, conformity, consistency across systems, accuracy against external reference sources and duplication.
On toward compliance
Guidance will advise of the specifics of privacy notices, consent, the consent audit trail, etc. That doesn’t detract from the need to understand your customer base now. The personal data held, what permission was obtained to process and use and the overall quality of your data. Start working on the communication plan to re permission and ensure those valued customers remain. A clean, informed and responsive customer base, in good time for the GDPR.
Mal Dunsmore, Business Analysis Manager at Occam DM Ltd (part of the St Ives Group)