What to do in response to GDPR
In his last blog, Jeff Hemming, Tikit’s Product Manager, Marketing Solutions, explained that the General Data Protection Regulation (GDPR) comes into force next May, and what that means for legal marketers. Here he describes what you can do to make sure you’re compliant and at the same time retain the valuable information that personal data can provide.
In my preceding blog I gave more detail on the key parts of the GDPR as they affect legal firm marketers. To summarize:
- The law will apply from 25 May 2018
- It covers everyone, no matter where, who is holding the personal data of EU citizens
- Data must be held securely
- Data must be used transparently and for the intended purpose
- The law wants to give citizens control over their own data, therefore:
- you can only use a person’s data with their consent
- you must delete that data if you’re asked to
- you must delete it after two years if the relationship isn’t still ‘live’
- you have to show all the data you have on the person if they ask for it.
The penalties are higher than for the Data Protection Act, which this law supersedes, going up to a maximum of €20,000,000 or 4% of global annual turnover, whichever is higher.
Clearly law firms need to take this new legislation seriously, so this blog is about some of the practical things you can do ahead of time to ensure your firm’s compliance.
How to comply with the law
The first thing to do is locate all the personal data held and then confirm that it’s being used with consent. If you can’t find consent, then ask for it and record the response in such a way that when the regulation comes in you can demonstrate compliance. You’ll need the right kind of technology to enable you to do this exercise in a cost-effective way that doesn’t take up too much of your time.
Next, if necessary, I suggest that you bring all the data into one centralized system, the access to which can be shared and controlled appropriately.
Going forward this will make compliance management that much easier. For instance, if someone wants their data deleted, you know there’s only one record to remove and you don’t run the risk that a couple of months down the track they get an email from another part of your firm which puts you in breach of the law. Similarly, should an individual ask to see the data you hold on them, you can quickly and confidently produce what you have, rather than have to scramble around in separate systems.
Remember that your system will also have to note dates of consent. You can keep personal data for two years after the last communication from the individual but no longer. This means you need a system that can be set up to track that. Also, in a world of growing data security threats and concerns, to stay compliant you also need a secure system.
The logical way to tackle all of these requirements is with a competent e-marketing system and Tikit can help you with that. Our email marketing software will help you gain and track consent compliantly, it will enable you to consolidate your data and will hold it extremely securely. This could be very important to your firm going forward because firms in breach of the regulation could incur heavy fiscal and reputational damage.
The marketing angle
A final, crucial thing that firms must do is not overreact to the impending GDPR legislation. Don’t delete personal data before you have checked that there is no value you can extract from it.
For instance, by aggregating the information that sits alongside personal data – about which seminar was most popular, or which blog got the most response – you can gain valuable marketing insights. The trick is to extract the metadata and anonymise the personal data and again Tikit’s email marketing can help you with this.
That way you can remain compliant without losing out on the important information that personal data can provide.
By Jeff Hemming, Product Manager, Marketing Solutions at Tikit
Connect with Jeff on Linkedin here.
Follow Jeff on Twitter here.