• Helen Pritchett

CPB is GDPR Ready – Are You?

GDPR is imminent. It presents a challenge but also an opportunity. GDPR will enable marketers to reset their priorities, strengthen relationships and build trust. The new legislation is a positive double-edged sword; not only does it put consumers in the driving seat, it will allow marketers to deliver a better customer experience and build stronger brand loyalty.

There is a lot to do to get ready for May 18th, 2018. At the very least you’ll need to ascertain if you are a data controller or a data processor, appoint a Data Protection Officer and create several GDPR specific policies and procedures. However, if this task seems insurmountable, think again. Whilst the waters may still look a little muddy there is help and support available.

The DMA and ICO are keen for companies and organisations to work with them to create the policies and procedures required for compliance. Both organisations will offer support and advice, and, from experience, this is worth accessing. Not least because the ICO has stated that if an organisation has put in place processes to demonstrate compliance with GDPR, this will be taken into account by the ICO should regulatory action be required.

CPB is in the B2B data business so GDPR compliance is high on our priority list. As such we’ve written this blog from a B2B rather than B2C perspective. We have been consulting with the DMA and the ICO to develop our GDPR policies and procedures. These include:

  • Privacy Statement

  • Cookie Policy

  • IT and Data Security Policy

  • Data Retention Policy

  • Data Processing Agreement

  • Staff Data Protection Training Plan

The GDPR Accountability Principle

Elizabeth Denham, UK Information Commissioner, has consistently stated that the GDPR accountability principle is what organisations should be focusing on. The principle requires organisations to be able to show evidence for their compliance with the GDPR and explain why they took a particular course of action.

Denham states: “We pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR ... Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.

Still Unclear As To What To Do Next?

Denham recently spelt out what organisations should be doing now to demonstrate effective accountability:

  • Organisational commitment – preparation and compliance must be cross-organisational, starting with a commitment at board level. There needs to be a culture of transparency and accountability as to how you use personal data, recognising that the public has a right to know what’s happening with their information.

  • Understand the information you have – document what personal data you hold, where it came from and who you share it with. This will involve reviewing your contracts with third party processors to ensure they’re fit for GDPR.

  • Implement accountability measures – including appointing a data protection officer if necessary, considering lawful bases, reviewing privacy notices, designing and testing a data breach incident procedure that works for you and thinking about what new projects in the coming year could need a Data Protection Impact Assessment.

  • Ensure appropriate security – you’ll need continual rigour in identifying and taking appropriate steps to address security vulnerabilities and cyber risks.

  • Train Staff – staff are your best defence and greatest potential weakness – regular and refresher training is a must.

By creating the documents mentioned, and following Elizabeth Denham’s advice above, organisations will be well on the way to adhering to the ICO Information Commissioner’s list of accountability ‘must haves’.

GDPR – Revolution or Evolution?

Clarity is coming but confusion still reigns to an extent, however, it should be noted that GDPR is not a revolution. In many areas it simply builds on, or emphasises certain aspects of, existing data protection law. Organisations that are proactive and put in place rigorous processes to demonstrate compliance with GDPR will not have a problem (and are probably already half way to compliance).

Denham acknowledges that marketers are suffering frustrations. She agrees that parts of the GDPR are ambiguous and clear guidance has not always been forthcoming from the ICO and Article 29 Working Party. But this is no excuse for inaction. Denham goes on to state that the ICO is a pragmatic regulator and is aware of the real world of business risk and cost, but this doesn’t negate the need to act, now. What is crucial is being able to demonstrate that you have the appropriate systems in place for compliance in the new GDPR world.

CPB is GDPR Ready, Are You?

If you not already acted, now is the time. Procrastination could be unhealthy for your business.

If you’re still seeking clarity on exactly how GDPR will affect your business both the DMA and the ICO are there to help you. There are fundamental differences in the way B2B marketing will be regulated under GDPR compared with B2C so seeking clarity is essential. Should you wish to talk this through with a B2B company who’s been through it, please get in touch with our Data Protection Officer, Jon Pritchett, who will be happy to help.