GDPR is about accountability for how your organization uses personal data. GDPR is not applicable to anonymous data or information that is not personally identifiable. It is about being responsible and complying with EU regulations. It’s also sensible, good business practice. This article is a set of resources to help demystifying GDPR for B2B SME business leaders and marketers.
On May 25, 2018 the GDPR (General Data Protection Regulation) came into force for organizations doing business in the European Union. It applies to all organizations based in the EU, and those who provide services, sales, communicate with or monitor the behaviour of people who reside in the EU.
Each aspect of this article is structured around four sections;
- what it’s good for to put the resource into context,
- the data source so you have a perspective on reliability, and
- a suggested action to take (research information should always drive action or change)
- with a time estimate of how long you’ll need.
- An Introduction to GDPR
- List Of European Union Data Protection Authorities
An Introduction to GDPR
- Good For: Getting started. This 15 page overview maps out a path to GDPR compliance and good behaviour. Review the official Data Protection guidance for SMEs.
- Data Source: the official Irish Data Protection Commissioner. If you prefer your own country (or language) see the bottom of this page.
- Summary: GDPR is about being transparent on how your organization is “using and safeguarding personal data, and … demonstrat[ing] accountability for data processing activities”.
- An example of personal data is: an email address collected on your website or at a tradeshow.
- An example of transparency is: informing website visitors how you use their information in data privacy notices such as via pop-up with ‘click to accept’ notice on your website.
- Take Action: Review the Self-Assessment Checklist (It’s at the bottom of the page)
- How Long: ~10 Minutes
The Principles of GDPR
- Good For: Getting a handle on the core ideas. Included in this McKinsey article is a tidy graphic outlining the key principles of GDPR. Larger organizations may also find the rest of the article informative (albeit written in a scary tone!). Process persona data:
- in principles of lawfulness, fairness, and transparency;
- for specified, explicit and legitimate purposes. i.e. “purpose limitation”;
- with a view to data minimisation,;
- with a view to ensuring it’s kept current and accurate;
- such that data is kept for no longer than is necessary (storage limitation); and anonymization / deletion is encouraged
- in a manner that ensures appropriate security for integrity and confidentiality.
- Data Source: McKinsey Consulting Quoting the EU Regulation, & FutureLearn.
- Take Action: Review The GDPR Principles Table By McKinsey
- How Long: ~2 Minutes
GDPR Key Terms
- Good For: Getting grounded in the lingo.
- Privacy by Design: “consider privacy at the initial design stages and throughout the complete development process of new products, processes or services that involve processing personal data.” In other words, the default approach is to assume the privacy of personal data.
- Personal Data: “any information relating to an identified or identifiable natural person.” An example would be a photo or an someone’s email address.
- Data Controller: the person or organisation who decides the purposes for which, and the means by which, personal data is processed. The ‘purpose’ of processing data involves ‘why’ the personal data is processed, and the ‘means’ involves ‘how’ the data is processed.
- Data Processor: A person or legal organisation that processes personal data on the behalf of a data controller. Processing includes storing and transmitting data.
- Data Subject: A data subject is the individual to whom the personal data relates.
- Cookies: these are small text files that are added to your browser when you visit a website. Harmless in themselves, and easy to remove, cookies are key to website operations and can store different types of information. Understanding how cookies work in your offering and on your website is important.
- Data Source: The Irish Data Protection Regulator
- Take Action: Become Familiar With Those 5 Terms.
- How Long: Absorb at those 5 key terms again, …then you’re done! 🙂
GDPR Action Plan Template
- Good For: Getting started with an action plan tailored to SMEs. (See also the NGO source below which has a wonderful checklist within top 10 tips)
- Data Source: The Irish Data Protection Regulator
- Take Action: Review the Template for SMEs To Prepare from GDPR (via GDPR and you dot ie)
- How Long: ~10 Minutes To Review
GDPR and Online Software Data Services
- Good For: Organizations that uses software as a service tools. The template and checklists guide to you considering where data is housed and processed. For example here is MailChimp on GDPR, SurveyMonkey on GDPR and Facebook on GDPR (used by JEM 9). In many cases these well established organizations are your best partner. For example MailChimp; keeps track of when someone subscribed or was added to the list, and also provide a mandatory easy unsubscribe option on every email you send.
- Data Source: Various
- Take Action: Check Who Houses Your Data & Review Their Data Policies (as part of your broader review)
- How Long: ~It Depends
GDPR Comprehensive SME Overview
- Good For: Understanding the underlying principles and plenty of excellent GDPR examples for all but the largest organizations.
- Data Source: 1). Suzanne Dribble, a data protection business law expert who learnt her trade at the world’s largest law firm. EXCELLENT ACCESSIBLE RESOURCE!! or 2). Irish Data Protection Commission – Guidance for SMEs (15 page pdf which includes tables for your action plan.).
- Take Action: Watch GDPR On-demand Webinar
- How Long: ~2 Hours
GDPR Through The Sales Cycle
- Good For: Placing data protection (and principles) in the marketing communications and sales context. This graphic enables you to quickly identify which teams, people and processes are likely impacted by GDPR.
- Data Source: Hubspot Online Sales & Marketing Communications Software
- Take Action: View the GDPR Marcom Flow Graphic
- How Long: ~2 Minutes
Getting GDPR Questions Answered
- Good For: Answering GDPR questions of online and smaller businesses.
- Data Source: the group is run by Suzanne Dribble, a data protection business law expert who learnt her trade at the world’s largest law firm. This group and Suzanne’s videos answer many questions; rated “hugely useful”!
To join the group you agree to the following (which is so clever and I just love!): “Please confirm that you will read the pinned post (that will give you a simple introduction to GDPR compliance) before you ask questions in the group.”
- Take Action: Join the Facebook GDPR For Online Entrepreneurs Group
- How Long: ~It Depends On Your Questions
GDPR And “Legitimate Interest”
- Good For: When your organization, via your product development and marketing communications team for example, (i.e. you as the data controller), has an existing “relevant and appropriate relationship” with clients or prospective clients (the data subject). You may not need to reconfirm in order to communicate with data subjects. It’s about “balancing your interest and their interest”: be sensible.
- An example might be; making clients aware of an upgrade or improvements to a product that the data subject previously purchased from you.
- Another example might be: if someone signs up for a conference, you have a legitimate interest in providing information about that conference.
- A related example might be: if someone purchases something from you and you want to send them updated shipping information. (Strictly speaking this fall under contract law but I find it a useful example from the point of view of demonstrating ‘balanced interest’.)
- Data Source: Marketing Week is a UK registered organization providing news and information for marketing, advertising and media professionals.
- Take Action: Learn More About Legitimate Interest For Marcom Professionals.
- How Long: ~1 Hour
GDPR & Fresh Consent: Do I Need To Ask Again?
- Good For: Understanding how to approach your existing data. If the data was collected in a manner that complies with GDPR, there is no need to ask again; but the thing is you need to be sure that consent was explicit and is verifiable! Typically this will include things like:
- opt in (such as clicking on ‘I agree’ or ‘Sign Me Up’),
- the ability to withdraw any time (such as an easy unsubscribe), and
- Data Source: Various.
- Take Action: Check How Personal Data Was Collected OR Get Fresh Consent.
- How Long: It Depends.
List Of European Union Data Protection Authorities
- Good For: Getting local language support. For example here is the Luxembourg guide
- Data Source: The Irish Data Protection Officer
- Take Action: Find the official resources for your country
- How Long: ~1 Minute
Disclaimer: these resources are provided to help get you started with GDPR. Please use official sources and informed legal advice for decision making. N. B. the rules are very different for those with more than 250 employees and for sensitive personal data (such as sexual orientation). So do the right thing by your customers and prospects by treating their data carefully, and use GDPR to ensure your data stays in order.