This is my third and final blog on the EU’s upcoming General Data Protection Regulation (GDPR), which comes into effect from May 25th 2018.
To recap, the aim of GDPR is to protect the personal data of EU citizens and enhance legal rights in this area. All firms that deal with EU citizens – regardless of where they are based – must comply and huge fines can be imposed on those who transgress.
In basic terms, GDPR requires you to obtain consent for collecting client data, such as email addresses, be specific on how you will use it, and allow your clients to access, correct and delete their data if requested. You can read about requirements in more detail in my last blog on this subject.
At my firm – ProFundCom – we are the leader in digital marketing for the finance sector, so obviously GDPR is of huge importance to us. We’ve completed a rigorous examination of the terms and implications of GDPR to make sure our system and processes are 100% compliant.
And in that process, we’ve learnt a lot about what financial firms must do to prepare for the advent of GDPR. Here’s some key points recommendations:
Complete a data audit
Unless you have very accurate and up to date records, a full data audit is necessary. This will enable you to identify what data you hold, why you hold it, where it is and who has access to it.
One of the key aims of GDPR is to give people control over their own data, which means companies using the data must provide access on request. So, you must be absolutely transparent about how and where you store data and the procedure by which it can be accessed
Be careful when sharing
Do you share your clients’ data with third parties? If so, you must make absolutely sure that you have your clients’ consent for this, that you know what the data is being used for, and that the firms you share it with are protecting the data properly.
Only hold the data you need
GDPR requires you to only hold data for specific purposes, so you should have a clear-out of all surplus data. If, for example, you only use email for your marketing and communications, you can clear out all your phone numbers. The less data you hold, the less chance you have of falling foul of the regulations.
Appoint a Data Tsar
Dealing with GDPR is a big and ongoing task, so you need to have a senior person in place who knows the regulations inside out and has the job of implementing changes and overseeing your whole data operation.
Lastly, you should look at the requirements of GDPR as an opportunity, rather than an onerous task. Data is a powerful resource and the more you know about what you hold and why you hold it, the better, as this will enable you to use it more effectively.