The deadline for the new marketing GDPR guidelines is set for 25th May 2018. For anyone who thinks that’s far away, it’s less than 100 days.

Your Privacy Policy needs to be simple, easy to understand and specific to the consumer. If you think there’s any room for misinterpretation, now is the time to set things straight.

Businesses that adapt and offer consumers real choice around their data stand a good chance of being seen favourably – both by consumers and the ICO.

Have you done a Data Audit?

The first thing you should do is examine your data flows.

This kind of Data Audit will yield results that may come as a surprise to any business. Therefore if you’re doing it for the first time it can often be a bit of an eye-opener for organisations.

Whether you realise it or not, there are always third parties. In most cases, there are also legacy systems or bits of data whizzing around that not everybody knows about.

You should look at all those different touchpoints. For example, where are you gathering personally identifiable information? You should map them out in a flow diagram. Even IP addresses are identifiable data, so it’s basically anywhere a customer is identifiable to you.

Remember, with the GDPR you need to be able to show whose data you have, where you got it, and who you have shared it with. Accountability is key.

What are the guidelines for consent?

The new marketing GDPR guidelines state that consent should be ‘freely given, specific, informed and unambiguous.’

Pre-ticked boxes or ‘tick opt-out’ boxes are on their way out.

The opt-in boxes must be held on a separate page to tone used for accepting the Terms and Conditions.

This means that many brands will have to be more detailed in their explanations of what they plan to do with personal data. That consent must be signalled by a clear, affirmative action rather than simply not opting out.

Is your consent is of good quality and a high standard? Does what you have collected over time fulfil the requirements of GDPR? If yes, then that’s fine. You can pretty much continue doing what you are doing.

If it doesn’t then you may have to go through a refresh process. This will bring that data up to the right standard.

You can use data that has been previously been collected when going forward. You should check that your current system complies with the GDPR’s guidelines.

However, your current policy might not comply with the GDPR. Therefore, now is the time to work out whether it’s worth recontacting older customers and seeking permission on whether you can use their data.

If you are still unsure of how you should manage your consent, check out the GDPR page on Castle for more information.

How sensitive is your data?

If you’re doing something straightforward, such as compiling data and segmenting your file based on customer’s age, what they have bought, or where in the country they live, then that is fine, and you shouldn’t have to worry too much as it can be explained very simply.

You may be doing something much more intrusive – maybe you’re going out to third parties and getting additional data about the income of the household or the car they drive – while you may have a very good reason for collecting that data, it might be more difficult to pass the balancing test to be able to do that under legitimate interests.

If you’re doing particularly sensitive profiling, you might have to ask for consent.

There are few certainties yet about how the regulator will interpret marketing GDPR, but those brands that take the proactive steps outlined above can demonstrate their justifications for doing so, should avoid nasty surprises.

If you’d like to know more information on how your business could be affected by GDPR, contact a member of our team today.