I’ve got a lot of names for GDPR, but they’re not accurate, definitely not savoury and, more to the point, won’t prevent the clock from striking midnight on Friday 25th May. So, I’ll keep my opinions to myself.
What I do know is that six months ago I
accidentally volunteered myself to become the ‘GDPR champion’ (spoiler alert: no pom-poms are big enough to take this task on) for my charity’s Marketing and Communications department – and I’ve learnt to tolerate enjoy the difficult questions teams are asking me about the Information Commissioner’s Office‘s (ICO) changing law.
But, with its website intermittently crashing as businesses big and small attempt to untangle the subjective jargon, it’s no surprise that confusion looms around what it actually means for consumers and businesses – forcing the organisation to plan more effective awareness campaigns, starting with ‘Your Data Matters‘.
Robert Parker, Head of Communications for the ICO, recently admitted to PR Week that he has a challenge on his hands to land this message (that individuals are in the control of their data and the ICO is there if they’re in any doubt that an organisation is following the rules) with a limited budget. But, has enough been done to prepare businesses first and foremost?
The ICO partnered with the Federation of Small Businesses earlier this year, targeting companies with 10 or fewer employees, to encourage them to raise the bar when it comes to data protection. But, there’s little evidence to suggest they’re now feeling comfortable and confident with the upcoming changes.
The ‘Making Data Protection Your Business‘ campaign used radio adverts to drive website traffic, where employers could watch videos and download FAQs. But, surely if it were that simple, no one would have anything to worry about in the first place?
I’m by no means an expert (but then again, all the GDPR experts I seem to have worked with like to admit they’re not either, very early on into the relationship). But, here are my five quick-fire tips for all marketers (yes, that includes you) to clearly demonstrate how you’re taking personal accountability to protect personal data – handling it with care and respect at all times:
Don’t save personal and / or special category data on your desktop
From case studies and films to consent forms and contact details, these elements enable us to identify individuals. Always save documentation in your server folders opposed to desktop and personal drives.
Don’t email attachments containing personal and / or special category data
This enables people to save, share and edit their own versions of the documentation. Instead, provide links to files from your server, so teams can work from one true copy. If you do need to send email attachments, ensure the document is password protected.
Check if your email content is appropriate for the recipient
Before forwarding emails, check the full content of the email (to ensure it doesn’t contain any personal and / or special category data). If it does, sense check whether the intended recipient should receive this information. If in doubt, check or omit.
Ensure your data collection touch points outline how data will be used and stored
Only use personal data you have been given in the way that it was intended
If you’re processing data given to you by a third party (e.g. beneficiary, influencer, ambassador etc.), you can only use it in the way it was originally intended. For example, if you are given a private postal address to order a taxi, you cannot use that address to send communications unless you have explicit consent. Verbal consent is appropriate (and should be recorded), but written consent is better.
Friday 25th May is just the beginning. And, like Robert mentions, different strands of the ICO’s education campaign will be rolled out over the coming years.
We’re all on the same journey. But, if you can make the five points above a habit now, you, your department and your Data Protection Officer will thank you in the future.