If you’re not ready for GDPR hitting the scene next month, it’s time to be afraid—very afraid. Unless you’ve got an extra €20m to spend on noncompliance, then I hope you’re checking and rechecking your ducks for alignment. Best place to start? Your CMS.
The Breach Level Index this month revealed that 2.6 billion records were stolen, lost, or exposed worldwide in 2017, jumping 88% from the previous year. Of the 1,765 data breaches in 2017, 69% were identity theft.
TalkTalk (a telecommunications company) came under fire in 2016 for security failings that enabled hackers to access customer data. They were fined a hefty €460,000. This figure would be a painful €68.3m post GDPR.
But according to the GDPR authorities, we’ve had two years to get ready, and should be by May 25, 2018. It’s a hard deadline. No grace period. (That’s what we’re in now.)
But We Love Data!
No matter where they are located, companies must get busy developing provably compliant procedures and processes for dealing with EU customer data and should be able to respond quickly to customer rights.
If you’ve suffered a touch of head-in-the-sand for the past two years, here’s what you’ve missed: You must get confirmed consent (preferably using double opt in) for each specific use of an individual’s data. This applies to new and existing data. Should an individual ask to see the information you store about them, to update it, to limit how you use it, to have it exported (to either another company or themselves), or even to have it completely deleted (from all areas of the company), you must be able to fulfil the request in a timely manner.
In short: goodbye marketing—we’ll miss you. Or is it? Not if you’re smart!
GDPR Compliance: Everyone’s Least Favorite Subject
Getting compliant will most probably require a complete overhaul of your current systems and practices so you can ensure protection of your users’ data. Let this not exclude any third parties you deal with, as you become jointly responsible for data you share with them and could be held accountable for their lack of compliance should they fall short. There are also very strict guidelines about data transference under GDPR.
Alert Logic’s recent survey found that over a third (32%) of EU-based companies expect to have to make major changes to their security processes and software. Businesses listed their biggest challenges to compliance as lack of budget (50%), not enough in-house IT know-how (48%), and limited understanding of GDPR regulations (37%).
A Pulse Survey carried out in July 2017 examining how ready companies were for GDPR found that, although 93% of companies had started preparations, a third of them had only started in the first half of 2017. Of those considering themselves to be compliant (just 11%), 88% had spent over $1 million, with 40% of those actually spending over $10 million.
GDPR-ready companies are already positioning themselves as early compliers to give themselves that competitive edge. Those with a long way still to go (89%!) are at risk of incurring eye-watering regulator fines, litigation costs, and losing out on opportunities in Europe.
In August 2016, the airline Flybe received a fine of £70,000 for sending emails to their 3.3 million-strong customer database about whether the details they had on file for them were correct. Unfortunately, all customers had previously opted out.
The JD Whetherspoon company recently make the extraordinary decision to just go ahead and delete their entire database containing over 650,000 email addresses. That’s one way to deal with the data issue…
GDPR is a companywide concern as almost every part of an organization touches personal data in some way (developers, sales, customer support, marketing, etc.) But despite this, Symantec’s State of European Privacy Report found that just 14% of businesses consider data protection to be the responsibility of everyone in the organization.
OK, So Get to the Bit Where My CMS Helps
Your content management system (CMS) is at the core of your business, so it’s important that the software itself is GDPR ready.
Your CMS should be able to handle multiple consents for each user that are purpose specific and should link them directly to related areas and features of the site for which consent is required, automatically recognizing when consent for a specific activity has yet to been obtained.
It should offer easy double opt-in validation models so that verification emails are automatically sent and consent validated upon the user’s confirmation.
No two companies are the same, and each one will be unique in terms of GDPR requirements. Your CMS (including its consent forms) should be completely customizable to your specific needs.
Preferably with its own CRM, your CMS should store all personal data in one location. It should be quick and easy to respond to users’ requests to update details and a complete history of consent should also be available as proof when audited. Should a user wish to view all information stored about them (or have it sent to a third party), your CMS should enable you to export and send it in a machine-readable format (such as XML) as stipulated by the regulations.
When a right-to-be-forgotten request comes in, it should be easy to do, with all information from the entire organization trackable for deletion. But, if applicable, your system should also recognize which information is exempt from this request. It should send notifications to all third parties with whom you have shared the information to make sure the deletion request is actioned on their side too. According to the Symantec report, only 40% of businesses have the systems in place to respond to such requests.
Features like data flow mapping and workflows will be important in getting a clear view of your privacy risks and managing the vast amount of related documentation. Reporting will be handy in outlining where certain data is stored. And permission management will become extremely important, so your CMS should offer granular permission levels and superior user authentication and tracking.
Not an easy set of features to find in a CMS… unless you’re with Kentico, of course.
GDPR: Is It Really All Bad?
As May 25 hurtles towards us, it can feel like the Armageddon of marketing. But, surprisingly, GPDR compliance can bring benefits to your company, its practices, and to your customers too.
We’re all going to have to change how we operate. And this can significantly improve data management and organization processes, as well as conversations between departments. Better Marketing-Sales cooperation can lead to deals closed sooner and a much smoother customer experience.
Ok, so having to go through your current database and cleanse it is never going to be fun, and you’re likely to lose a huge chunk of it. But once you’re done, you’ll get that “nice and clean” feeling and you know you’re not going to be harassing unwilling recipients from now on. Sure, you’ll have less data to play with, but what you do have will be considerably more dependable and relevant. You can obtain greater value from your reduced database as those on it are already interested in your company and are much more likely to be converted into quality leads!
And, finally, of course, there’s the small point of customer trust. GDPR compliance shows that you respect your customer’s personal data and are careful about how you handle it. This kind of trust isn’t something you can buy—not even with that extra €20m!
So if you’re fearful of the changes coming your way in a month’s time… good. Because no amount of sand is going to hide your head from the GDPR powers that be. But remember, this whole thing came about because it’s something your customer values. Happy customers help a business thrive.
So keep them in mind as you slog through the bother of getting compliant. They’ll love you for it in the end.
Check out Kentico 11’s GDPR and Data Protection app to find out how you too can help put GDPR compliance at the heart of your tech stack.
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.