With GDPR less than a month away, retailers are battening down the hatches in preparation for the regulations. In this piece, Judy Boniface (pictured below), CMO, Mailjet, tells RetailTechNews how businesses can be preparing themselves, as the deadline looms ever closer.

If you don’t know by now, you should know. GDPR is set to have a huge impact on the way marketers do their jobs, if it hasn’t done so already. Our ongoing research into the readiness of startups, for example, run through Product Hunt, has been met with over 10,000 responses to date. There’s an almost insatiable appetite to learn more and become an expert in this area.

However, something to remember is this interest isn’t just relevant for the UK, it’s as important in the U.S. as it is for APAC marketers – it will affect anyone collecting, processing, and storing personal data of citizens within Europe.

On top of this, many are forgetting that GDPR doesn’t exempt anyone based on size or revenue. The EU wants to guarantee that companies big and small (profit or non-profit) are taking data privacy seriously and incorporating this mentality within the DNA of their company. Following the recent Facebook and Cambridge Analytica news, this has never been more important for consumers either.

You may have heard from friends who sit within a large corporate marketing team that they brought on an external legal team to manage the transition to GDPR-compliance – however, it isn’t that easy for smaller businesses. Just because you work for small business, it doesn’t mean you will keep clear of fines of up to 4% of global revenues or €20 million.

Giant leap ahead for small businesses

Our initial study of over 4,000 small businesses into the state of their GDPR preparation noted that the average readiness score was a disappointing 4.1 out of 10 and only 29% are encrypting their personal data.

Despite the low level of compliance, 91% of small businesses still report collecting personal data from their clients. As the 25 May 2018 deadline approaches very quickly, it’s time for small businesses to roll up their sleeves and get everyone mucking in to ensure everything possible has been done in preparation for GDPR.

Judy Boniface, CMO, Mailjet

If they haven’t done so already, the three steps below are critical and need to be actioned now. They will take the most time and are going to matter the most when the auditors knock:

Spring clean your database and its processes

Unless you have a record of consent, you will no longer be able to send email marketing campaigns to your legacy contacts unless you have gained new and explicit agreement from them.

Check your current data status and document:

- What personal data do you already hold?

- Where did it come from and who have you shared it with?

- Where are your vulnerabilities and where can you be held liable? 

- Know where your data currently lives and classify this information.

- Ensure you have procedures in place to detect, report, and investigate data breaches.

The temporary consent of soft opt-in when collecting an individual’s email details is not considered as explicit consent or a satisfactory practice. No matter how much someone engages with your marketing communications, consent must be asked in unambiguous language.

Begin to action this step as soon as possible to lower any risks. If an outdated contact criticises your communication, this could question the validity of your marketing programme immediately.

Scrutinise your third-party providers

Whether or not you view other teams as a partner, you need to vet all third-party companies with whom you work with a fine tooth comb. It’s important to understand where exactly the personal data that you have collected on your customers is being shared and transferred. If this data is being shared into places like your CRM system, email service provider, or customer support system, for example, you need to ensure that these third-party providers themselves are GDPR-compliant. This is often the most tenuous link in the journey to becoming GDPR-compliant.

Here are 12 important questions to ask all of your third-party providers regarding their level of compliance. Putting a data registry in place is highly recommended as one of the first steps in your journey to compliance.

Do not underestimate how long this step will take, as it is likely going to be a cross-departmental effort.

Evaluate the data collection procedure

Typical growth hacks, such as scraping LinkedIn email addresses and buying mailing lists, will not stand up under GDPR scrutiny. It is imperative that you know when the consent was obtained (data and time stamp, for example) and the exact purpose for which the consent was given.

Embed privacy by design and default into all projects – don’t collect more personal data than you need, use anonymisation, pseudonymisation, and encryption.

Whilst the first three steps will take longer, the next three are equally as vital in the quest for GDPR-readiness.

Drive education for all

All senior management teams need to be aware of GDPR and the likely impact on your organisation to guarantee internal buy-in. As you go through this process, remember to inform and educate your employees and personnel on the collection and treatment of all customers’ data.

Change the internal mindset

Our study discovered only 49% of respondents know if they need a DPO and only 35% have provided team training about GDPR. Worse yet, only 39% have updated their privacy policy. Despite this, it is very important to change the typical mindset across the business from the product, tech, legal, and marketing standpoint to focusing on what consumers what. No matter what shape and size, all teams should be able to honour and respond to the consumer rights that will be put in place by GDPR and any requests for clarity over their data.

We understand businesses are in a precarious position, but it is crucial they bring everyone up to speed on:

- The right be forgotten, be informed, have personal data deleted, have a copy of their personal data (within a month, free of charge)

- Right to data portability – data electronically sent to them in a commonly used readable format

- Right to restrict automated decisions and profiling

- Right to object

Familiarise yourself with DPIAs

Work out when and how to implement Data Protection Impact Assessments in your organisation (note: exemptions exist for small businesses and low-risk small-scale data usage). Determine whether you need to appoint/contract a DPO (Data Protection Officer) who will be responsible for data protection compliance, acting independently and reporting to the highest levels of management. You will also need to make sure your contracts for all third parties contain the new provisions.

Ultimately, GDPR isn’t intended to curtail the amount of communication brands can have with customers – marketers must see the bigger picture. While it’s true that if brands act fast they will significantly lower the risk of fines, readiness should be an ongoing process that doesn’t just stop on the 25th of May.

The new regulations are a chance to increase trust and respect from customers who value the fact that their personal data is taken seriously. With the recent consumer focus on data following the Facebook and Cambridge Analytica news, there is no time like the present!This content was originally published in RetailTechNews.