In the third post in our series on preparing for the new GDPR law to come into force, we’re looking at the amount of personal data a business holds, and asking the question: can you reduce it?
What the new law will require
The new data laws will require that organisations only use data that they have specific permissions for (for more on this, see our previous blog posts on GDPR). Right now, organisations may collect data under a catch-all permission system. People tick a box and say that they trust the organisation to not sell data to a third-party, for example.
After May 2018 organisations will need permission for each application of the data – so if data is collated for customer services reasons, they can’t also use that data for marketing, unless permission has been granted.
All businesses will have to comply with the new regulation, so to make it easier, we advise you cut down on the data you hold, where possible.
What you can do to reduce the data you hold
It’d be prudent to start looking at what data you hold, now, so you have time to take action before the new law comes into effect.
Start by auditing the data you use and store, and what is done with it. Then take preventative measures to ensure data collection doesn’t get out of hand (by training employees in best practice and carrying out checks, for example).
1. Use analytics to monitor who accesses what data.
Organisations will need to be more restrictive over access rights under GDPR. At present, if a person purchases something from a website, they’re often automatically signed up to email marketing. They then need to opt-out of this (and sometimes it doesn’t seem to work and we still get the emails anyway). GDPR places the emphasis on the organisation to get permission first. (It’s worth noting that charities will still be able to use the opt-out method that they use for marketing and fundraising at present – rather than the opt-in process that GDPR introduces for most organisations.)
2. Look at whether you really need all this data.
All organisations need to analyse exactly who has access to what information, and why they need access to it. Do they need the data for their work? If not, you don’t need to hold it. Perhaps there are data sets that aren’t referenced at all? Or data that’s still collected because it’s what the organisation has always done, even though there’s no longer a need for that data? If you don’t need it, don’t keep it.
3. Know Your Customer compliance.
Although this is mainly an issue for banks, it’s common for many organisations to find out as much as they can about customers. For example, does a high-street retailer really need to know how much your total household income is just to sign you up to a loyalty card? (They probably do, for marketing purposes, but under GDPR signing up for a loyalty card doesn’t equate to permission to add a customer’s details to a marketing database.)
4. Ensure the data you do hold is accurate.
Have a system in place that allows you to continue to identify customers, ensure information is accurate and continue to provide a personalised service, using the minimum of data. Of course, this system needs to make it easy for people to provide – or deny – permission to use their data for specific reasons, and give them the ability to take their data elsewhere and get it deleted from the organisation’s systems.
5. Train your team in the new data laws.
Something as seemingly simple as copying a tweet to add to a customer’s communication history becomes more complex under the new data laws. People will have the right to be forgotten, and they may not want you to keep a record of their social media posts.
We’ve all operated under the opt-out data collection system for years, and it will take time (and training) to learn how we need to modify our behaviour to comply with GDPR. Understanding what data you need (and what you don’t) is the first step in getting to a good position to deal with the challenges that the new regulations present.