One month until GDPR is go! How are you getting on?

data
dataprotection
gdpr

(Melissa Saunders) #1

With one month to go until the new EU data protection law comes into enforcement, I’m living and breathing GDPR. How is everyone else getting on?

Do you now have a fully compliant database? Are you in the middle of a re-consent campaign or have you yet to get going on this?


(Abena P) #2

Um, not quite a fully compliant database yet :blush:. About to start a re-consent email campaign to join the millions already underway. We’re offering an entry in a prize draw (absolutely, definitely, certainly not a bribe) to recipients who sign up again. How are you getting on?

I had a question about GDPR and data backed up in the cloud. If you delete all the data you have on your system, whose responsibility is it if that data could theoretically be retrieved from a backup system?


(Melissa Saunders) #3

Good question Abena - I would imagine if it’s your data ultimately you’re responsible but we all use so many third parties day to day so we’re very vulnerable if there’s a breach beyond our direct control, @Belinda_Booker any thoughts on this?


(Richard Millington) #4

I’m going to start looking at our online community and doing a full review of the process/what we need to do.

My feeling is we’re going to have to do our best and get some outside legal advice here.


(Belinda Booker) #5

If the company is based in the EU, they too would have to be compliant with GDPR. If it’s outside, it would be worth contacting them for clarification.


(Melissa Saunders) #6

Almost everyone I’ve spoken to is getting legal help on this.


(Melissa Saunders) #7

So if a third party acting on behalf of you claimed to be compliant but then breached with your data would that still be your responsibility as the data owner?


(Belinda Booker) #8

Here’s some ICO guidance:

"Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects
protected.

“Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.”

Short answer is you’d have to prove you took reasonable steps to make sure the third party was compliant.


(Dewi) #9

The largest event that I co-organise has got a person who’s volunteered to be in charge of data protection for the event. First job for her is GDPR.


(Aman Brar) #10

We’re finding it a bit of a pain as a small company, but I appreciate that the law is really going to make the world a better place - fewer spammy emails, more control of your data and the ability to see what people know about you.

At Printkick we’re using a few different resources to get compliant, and we’re split it into different categories:

  • Data processing (Covering all the services we use on our website and external suppliers - making sure they have data processing agreements set up and that they can delete customer data at will)

  • Cookie consent (Making sure that people are opting in to analytics and cookies, so we can improve our customer experience, and not tracking anyone who doesn’t opt in)

  • Documentation (Making our internal processes for removing customer data, allowing an export, etc, completely clear for all employees)

  • Updating our privacy policy (Including all the information above, and adding our data controller - me!)

  • We don’t tend to send too many marketing emails, but obviously we’ll be changing the checkbox to unticked by default, and ensuring double opt in for new subscribers :slight_smile:


(Melissa Saunders) #11

Sounds like you’re well on the way Aman.


(Belinda Booker) #12

Regarding the documentation aspect, are you using a CRM? I’m wondering what the best systems are for compliance (ease of exporting, storing proof of opt in etc).


(Melissa Saunders) #13

Yes there seems to be a lot of information about compliancy in collecting data but less information on the other elements of GDPR. Would be good to see some recommendations.


(Aman Brar) #14

Yep, we’re using a CRM, so it’s not too hard to export or delete users. We’re figuring out where to store consent / opt-ins, but this might be split between systems at the moment.


(Melissa Saunders) #15

What kind of opt-in rates are you all getting? I’ve heard between 2% and 10% from various sources.


(Melissa Saunders) #16

Whilst trawling the web for industry reports on how GDPR is going, repermission rates etc. I came across this round up of GDPR emails… not events but definitely food for thought: https://www.econsultancy.com/blog/69966-gdpr-15-good-bad-examples-of-repermissioning-emails-campaigns

Also picked up that having yes and no buttons on the email rather than a single (re)permission button can enhance consent rates.


(Melissa Saunders) #17

I received a GDPR email from Funky Pigeon cards today from which I unsubscribed. Almost immediately I got a promotional email from them with a special offer. It was so quick after I opted out that I’m sure it must be a strategic thing. I was partly impressed with their last ditch attempt to hang on to me and partly irritated as I’d just unsubscribed. I’ve not come across this from anyone else.


(Melissa Saunders) #18

I found this on Twitter earlier:
GDPR 2

Not long to go folks!


(Belinda Booker) #19

What I’m not clear on is from what point do you have to seek re-opt in? For example, if I joined a mailing list earlier this year, do they have to ask me again? Or if I gave clear consent when I opted into a mailing list three years ago, do they still have to ask me again?


(Melissa Saunders) #20

I’m unclear on that too. I think if you opted in whenever in a way which is GDPR compliant and there is a trail on record of you doing that they don’t need to ask you again. However, I also heard that if you registered more than two years ago it’s not valid and you do need to be invited to opt in again but I’ve not got that verified as yet.