There were two standout moments for me in Digital Catapult’s Stephan Chandler-Garcia’s talk at Forcewest, on the GDPR.
- The first one was that when he was 16 and working on the desk at a gym, someone phoned him up and deliberately tricked him into divulging a (small) piece of customer information. He was in a lot of trouble. All these years later, he’s now a data protection evangelist. What doesn’t kill us, makes us stronger etc….
- Second moment: There has been no significant reform of the data protection laws since Spice World was in the cinema. And when you think about it, the 1998 Data Protection Act came along before Facebook, before any Social Media in any form, before the iPhone. So possibly some new rules are overdue. (No need for a Spice World sequel however)
If your organisation holds any form of customer data, in any form, B2B or B2C, then you need to get up to speed with the General Data Protection Regulation (GDPR) coming into force in May 2018. So that would be all of us, then.
Stephan Chandler-Garcia works with government body Digital Catapult with a remit of keeping digital business in the UK growing and healthy. As a Salesforce specialist and the CRM manager for his own organisation, the thorny task of spreading the GDPR gospel has fallen to Stephan and his team. And he has got his work cut out for him: the ‘big’ consumer data players (think EE, British Gas etc) have their plans made and ready to roll out, while the SMBs are struggling to come to terms with what it all means. But come to terms with it they must, as the fines for not complying with the new regulations are astronomical – €20 million or 4% of global turnover, whichever is the highest. That’s right, the highest!
So what is the GDPR, in a nutshell. In Stephan’s words, the point of the legislation is to take back the control over personal data from the business and give it back to the customer. This is about organisations no longer being allowed to hold customer data for no reason.
“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”
Of course ‘personal’, ‘adequate’ ‘relevant’ and ‘excessive’ are all words which can be interpreted in any number of ways. So for example, if I were to have a contact record of a marketing professional I met at the London Salesforce World Tour in 2013, and I send them a catch up email once every 6 months (which they never open), is that acceptable? Probably not. If I hold the details of a customer who asked me for a vehicle servicing plan 2 years ago and will need a renewal this year, is that OK? Arguably yes.
There are many simple measures we can all take right now to bring us some way into line with this legislation e.g. update the privacy statement on your website to explain your approach to data collection. Then there are going to be more complicated changes we are all going to have to make in our Salesforce CRM to make sure that we are up to speed e.g. do you have a list of email suppression requests in your marketing automation tool? That’s going to need to go…
Unfortunately this blog post is not a comprehensive list all the actions you need to take to be ready for GDPR in May 2018. However, we can suggest that you take a look at Stephan’s presentation below, which gives an overview of what this is going to mean in Salesforce terms.
Also, check out these links to some more ‘official’ information and next steps from the ICO (The Information Commissioner’s Office). These guides are a very valuable source of information.
The ICO – 12 Steps to Prepare Yourself for the GDPR
ICO – Guidance for Consent (more to come)
Over the coming year, Desynit will be working with our customers to make sure that they are fully aware of their responsibilities in light of the GDPR, and also delivering any changes they will need to make their Salesforce setup data compliant. If you’d like to talk to us now about how we can work with you to prepare, then please do get in touch. Also, keep an eye on our blog: I’ll be sharing more practical information, links to useful events and other sources of information relating to getting ready for GDPR in the run up to May 2018.
For the US and North American markets, GDPR compliance is becoming quite challenging as companies are struggling immensely with scoping issues and documentation issues. More specifically, I’m finding that controllers and processors are unclear at times as to what’s in scope, then further challenged by the complete lack of policies and procedures in place. I look at GDPR compliance as a two-fold process, and that’s (1). Putting in place the actual processes and best practices, and then (2). Documenting such processes and practices with well-written, factual policies and procedures.
The amount of time and money that organizations are spending on policy creation, along with acquiring additional tools for GDPR compliance is quite staggering, but again, it’s got to be done. Hopefully, as time passes the EU will provide better guidance on many of the articles that are currently somewhat vague. This has been done to obviously account for the large number of industries that need to become compliant. Well, good luck to everyone’s GDPR compliance issues and do all you can for meeting the deadline of May, 2018.