GDPR, Transparency & Brand Trust With May 25th fast approaching, there has been plenty of scaremongering around strict deadlines, ever-tightening regulations, true consent and large-scale compliance strategies. While the new regulations can be overwhelming, it doesn’t have to be all bad. GDPR can have a positive impact on your consumers and clients in a way that keeps them loyal to your brand while scaling trust and encouraging repeat custom and retention rates. A recent study in the UK by the Information Commissioner’s Office revealed that as few as 1 in 5 members of the British public purported to hold ‘trust and confidence’ in how businesses store and use their personal data. Accenture performed a similar survey finding that “87 percent of consumers believe it is important for companies to safeguard the privacy of their information.” Now, more than ever, is the time to focus on what your customers want. Consumers hold a strong interest in who has access to their personal data and how it’s utilised. If you have an organisation that is considering a transparent and holistic approach to how you handle customer data, you could just see a significant boost in brand trust and loyalty for your efforts – and with loyalty comes scalability. Consent Consent Consent One of the quickest ways to increase customer satisfaction around your organisation’s data handling and processing, is by clearly defining specific, unbundled and granular consent. Consent is a hot topic when it comes to GDPR. Until now, consent could be loosely implied and didn’t need to be regularly refreshed by subjects. From the end of May onwards, personal data handling guidelines within the GDPR will be treated as a regulation rather than a directive. Make sure your customers understand the parameters around the permissions your company is requesting, what the consent means for them, how long it will last and how it can be withdrawn if the subject so chooses to withdraw it. Using positive approaches to GDPR compliance can be a scary thing, but if you look at it as a brand new unique selling point you can master, customer satisfaction should increase significantly. Here’s a look at what is important to keep in mind when collecting customer consent and building trust in the process: Transparency Your customers’ personal data belongs to them. Any mishandling of what is deemed to be their property may lead to angry or anxious customers, nevermind legal ramifications and fines. Be open, clear and real about your personal data management efforts. If your customers can’t understand how you handle their personal data, how can you expect them to remain loyal and develop trust in your brand? If consumers don’t understand the processes around consent put in place by your organisation, you may lose out. Transparency ensures any consent you request is easy to recognise, understand and agree to for your customers. Keep them in the loop by keeping your intentions out in the open. Another great idea is to appoint your company Data Protection Officer, who can guide and advise your staff on how best to remain compliant and above-board. Introduce them with your new online compliance notice so your customers know they are in safe hands with a proactive and compliant business. Education In order to ensure your customers trust how you handle and use their personal data, you’ll need to become an expert yourself. Answering any questions your customers might have around data regulations and your organisation’s compliance with GDPR rules will reassure them that they’re with a brand they can trust. Don’t worry, becoming an expert on managing data with compliance in mind is not an overnight process, but rather an evolution that will occur naturally over time. Getting started on the road now ahead of GDPR implementation isn’t a bad idea for you or your business. Easy to use tools like PlanetVerify might be ideal in keeping yourself up to speed and transparent when it comes to implementing brand new ways to manage your consumers’ data with respect and compliance. Power Knowledge is power and empowering your customers is a fast track to retaining their trust. By working with apps like PlanetVerify, your business will give consumers the opportunity to easily upload, verify, store and give consent for the usage or sharing of their personal data in specific, clear and controlled ways. Collect unlimited data sets in addition to actual documents. Regardless of your business type, PlanetVerify offers something our competitors don’t – we focus on efficient, secure and compliant data collection, while our competitors typically focus on ‘verifying’ individuals. That also includes simple name and address collections of customers you might have in any business type, whether it’s a yoga studio or property advisory firm. Increase customer loyalty from the get-go and schedule a demo today.
7 Top Tips for Getting GDPR Ready With GDPR on the home stretch and hurtling towards your business, you have a couple of months left to pull up your socks and straighten that tie. Companies need to prepare for full enforcement of GDPR regulations as of May 25th 2018. While the new General Data Protection Act can seem daunting at first glance, it isn’t too late to implement that changes you need to be remain compliant. We’ve prepared 7 quick and easy additional tips that will have you in tip top shape well before the GDPR rules change. Read this article on the basics of GDPR 2018 and what to expect before you continue on to these extra points. Give yourself and your customers piece of mind by taking heed of these interesting and important changes. Tip 1: Don’t Be Afraid! Don’t let scaremongering around the impending GDPR regulations bother you. Your industry may be bustling with talk about what you should and shouldn’t change, but this is a time to become more in control of the data you manage and store, and less unsure of where you lie if you’re hit with SARs (Subject Access Request). Focus on the embedding of long term and systematic “privacy by design” processes and policies, to strengthen your organisational structure. It’s not as scary as it seems, and is actually quite a straightforward process if you tick all the right boxes. Read on to learn what the main ones are. Tip 2: GDPR Applies to Everyone If you’re wondering whether your company needs to change its data storage and protection practices in preparation for the new GDPR regulatory changes, the answer is YES. This new legislation is set to effect all industries regardless of the organizational functions of these businesses. If you’ve got personal data from partners, clients or employees, you’ve got to make some changes. For the first time in history, the European Commission is exporting European data protection principles globally, meaning any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR. This will be the first global data protection law, and just another reason for companies to start taking data privacy more seriously. Tp 3: Keep External Compliance Notices Together Deal with all of your external compliance obligations in one place for ease of access and use. We know your privacy notice should clearly state why you are collecting personal data, how it’s being stored, what it is and what you’re using it for etc. This information can be published online along with your copyright notice which explains what your position is on copyrighting. Having all of this information in one place makes it clear and concise for your customers and partners while maximising transparency and compliance. It means less inbound inquiries about your data storage and management processes for you too. Tip 4: The Definition of Personal Data In the past, many forms of personal data were not relevant when it came to the reach and relevance of GDPR. As a broad term, personal data is about to become even broader, with GDPR extending its reach significantly. The important thing to take note of here, is that the new GDPR guidelines outline that any information that can be used to identify an individual is now considered to be personal data and must be treated as such according to the new regulations. For the first time, things such as genetic, mental, cultural, economic or social information will be deemed personal data, and treated as such. So, if you’re unsure about certain types of data and whether they fall under the new GDPR’s umbrella of rules and regulations, your best bet is to assume they do. From here on, very few forms of personal data will not fall under these regulations. Tip 5: Data Breach Notification Reqs The GDPR draws on various European data breach notification laws and is aimed at making sure companies and organisations constantly monitor for breaches of personal data they collect and store. Organisations will be expected to alert their local data protection authority within 72 hours of any personal data breaches they are alerted to. This means you’ll need to consider the technologies and processes you need in place to enable appropriate and efficient detection and responses to a data breach if or when it occurs. Tip 6: Purging Data at a Subject’s Request The GDPR introduces a very strict and documentable set of regulations to ensure personal data is always available upon request. With the new GDPR regulations, subjects have the authority to request their information to be purged, or forgotten. If a client or partner requests for their personal data to be permanently deleted, you must do so swiftly. This is considered an SAR demand and must be met in order to remain GDPR compliant. This new approach to the minimisation of data storage means that organisations will be required to expunge data as quickly as possible. That is, they can only retain information for as long as is absolutely necessary. What’s more, if organisations wish to change the way in which they use data they already possess, they must issue fresh requests for consent to subjects before implementing those changes in data usage. Tip 7: Map Out the Path to May Map out the next steps for your organisation to take on the road to becoming GDPR compliant in the nick of time by May 25th 2018. Create purposeful steps using short, medium and long term actions deciding which employees will take them forward and see them through to completion. Create GDPR training schedules for all staff who deal with personal data, preparing them for on the job rules they must adhere to and ensuring the change is implemented as early as possible resulting in a smooth transition. GDPR is everyone’s responsibility and using action and engagement, your staff will be as comfortable with it as you will be.
With GDPR fast approaching most organisations have finally decided to get their (data) house in order and make some drastic changes in terms of how, where and why their personal data storage and usage is structured. It’s clear that the impending changes to GDPR in May 2018 will be more strictly enforced than ever before, and defining what should and shouldn’t be done is key to implementing a proactive plan as soon as possible. These new regulations will introduce fresh processes for dealing with sensitive personal data collected from your clients and partners, meaning if unprepared for the change, your company could see itself facing issues like SARs (Subject Access Requests) – based on what personal data you have, how you store that data, and what you use it for. One of the main issues expected to arise for unprepared establishments, are those surrounding explicit consent. From early next year, GDPR will ensure companies will be required by law to provide a clear explanation of the processing to which subjects are providing explicit consent. It will also need to be of a clearly voluntary and “opt-in” nature, with the possibility to unsubscribe or purge personal data and explicit consent easily, should the subject choose to do so at any time. Gone are the days when silence or inactivity were good enough to collect consent (e.g., pre‑ticked boxes do not constitute valid consent). That’s where the legacy data conundrum comes in, making the upcoming changes in GDPR a little more confusing. Legacy data – what is it? Legacy data can be described as information or personal data which has been stored in an old or obsolete format or computer system that is, therefore, difficult to access or process when required. Once this data is moved over to a new system and set of processes, it’s still legacy data, and will need to be treated in a very specific way. The question on everyone’s lips is: ‘What will happen to the personal data your company has collected under pre-existing data protection laws once GDPR and explicit consent is fully enforced?’ Legacy data – what needs to be done With most information being foggy around the usability and maintenance of legacy data post-GDPR enforcement, some things are very clear. It’s not a safe bet to rely on leniency over legacy data and explicit consent issues. When asked about whether or not we can still use legacy data that has been collected in line with past legislation, Steve Wood, the UK’s Information Commissioner’s Office Head of International Strategy and Intelligence recently commented at an IAPP event: “Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.” He continued: “What you will see is a common-sense, pragmatic approach to regulatory principles.” Keeping that in mind, the only logical approach is to adopt a strategy for re-consenting and re-permissioning before the deadline hits. All old personal data will have been collected in a way that will become obsolete as of May 2018, and no grandfathering privileges will be observed for legacy data in the aftermath. Legacy data & email marketing On the topic of legacy data and direct email marketing – things can be approached a little differently. For current customers and email subscribers you will need to be ready to supply proof of an existing customer relationship and provable subscriber consent. For lapsed customers and inactive email subscribers you will not be allowed to use their personal data any longer and will need to delete unnecessary information and roll-up into reporting data. If you have active subscribers on your email lists but do not hold provable explicit consent, it may be possible that this activity in itself can constitute as proof of a current existing customer relationship. You’ll need to prove the value of the content you are delivering and its functionality as a stand alone service. You’ll also need to prepare for a case around the perceived loss that would be suffered should the deliveries cease. A solution to legacy data uncertainty We recommend avoiding the hassle and availing of a service within our platform whereby you can ingest your legacy databases and batch email all legacy data subjects to requests fresh explicit consent in one click. From there you have an audit-able log of data subjects who to consent to your term and those who have rescinded consent. You can set rules to automatically purge non responders from your database. With PlanetVerify you can manage, verify and store your customers personal data from one dashboard. Collect all new personal data through the same systems going forward. Free up your time for Q1 of 2018, forget about GDPR compliance, and shrug off SARs stress.