Does your GDPR Compliance need a Health Check?

Are you doing it correctly?

Whether you were ready for it or not, GDPR came into effect on 25 May 2018 and with it a new world of data protection obligations.

While it’s been business as usual for most of us, one change which has been obvious is the increase in Subject Access Requests (SARs) from consumers, as well as requests for erasure (the infamous ‘right to be forgotten’).

Data subjects already had the right to submit a SAR to find out exactly what data an organisation held on them, but the £10 fee acted as deterrent for many customers. GDPR removed that fee and, as a result, the floodgates have opened for SARs.

So if you don’t yet have all your data ducks in a row and are struggling to stay afloat, now’s the time to do something about it.

Subject Access Request

Tell me everything you know. . .

SARS can be quite daunting if you’re not prepared for them. You’re required by law to provide the individual with a copy of the data you hold about them and if you don’t have your data clearly organised in a single place, you may struggle. Many organisations still process each SAR manually, an immense drain on resource and manpower.

We’ve seen companies who, having never before received a Subject Access Request, suddenly have dozens landing on their desks. What’s more, the time allowed to respond to the customer has been reduced from 40 to 30 days.

GDPR Floodgates
GDPR has opened the floodgates for Subject Access Requests.

But you also need to give some thought as to what should be in the SAR. You need to supply personal data – but does that include campaign history? Segmentation? Profiling and other analysis? IP addresses? Although it might be tempting to simply shove everything into a report, it’s often neither needed nor desirable to do so.

Whatever you decide, if you’re going to ensure you can swiftly fulfil SARs, a Single Customer View (SCV) is the only effective solution. At the press of a button, you can produce any number of data reports, ensuring that you can fulfil SARs quickly, simply and cheaply.

Plus, of course, the SCV becomes the heart of your marketing strategy. It joins up all of your online and offline data, enabling you to drive personalised, real time communications to your customers and prospects. So make sure that you’re got your data pulled together and that your SAR process is full automated.

Right to Erasure

Now forget about me. . .

Customers are also piling in with requests to be deleted from databases all across the UK, under their right to be forgotten. You might think that this is an easier task. Find the customer, hit delete, job done.

But it might not be that simple.

Firstly, as with a SAR, you need to make sure you can gather together all the data about that customer and delete it all at the same time. If you leave bits of data lying around, you’re in breach of data regulations.

Secondly, do you really want to delete the data entirely? You’re obliged to remove any personal data, but you may want to keep the transaction details so that your key statistics aren’t impacted.

For example, if you delete a group of customers who have made a high number of transactions with you, it could impact your average transaction frequency (ATF). So you may want to anonymise the data but keep the transactions linked.

Again, a Single Customer View is key to knowing what data you have, where it is and how you want to handle it.

Automating your SAR process

If you need help on building a Single Customer View, how to automate your SAR process, or have other concerns over your data compliance, we’ll be happy to help. Just get in touch.