European Union Data Protection Regulations (Part 2): Stop Waiting and Start Planning
- The European Commission aims to have EU Data Protection Regulations wrapped up by the end of 2015
- Marketing teams should start working with their marketing operations team now to determine what changes will be needed to comply
- Here are some questions to start the conversation in your organization to identify potential gaps
In my previous post, I shared the latest information published by the European Commission on the planned EU Data Protection Regulations. These regulations promise to be both far-reaching and impactful for marketing organizations globally as the laws will apply to any companies doing business within the EU, regardless of where they are based.
The European Commission aims to have things wrapped up by the end of 2015, which means marketing teams would be wise to start looking at these issues now and working with their marketing operations team to determine what changes will be needed in order to comply.
Here are some questions to start the conversation in your organization to identify potential gaps:
Getting Consent From Individuals
- Do you obtain opt-in consent from individuals before permanently storing and using their personal data for marketing purposes?
- Do you regularly review your opt-in mechanism to ensure it is adequate across all communication channels used?
- Do you regularly audit your marketing database to ensure consent is clearly documented and up-to-date?
- Do you offer a clear opt-out mechanism for individuals to withdraw consent?
Deleting an Individual’s Personal Data
- Do you have a documented map of all the locations where an individual’s personal data (details and digital activity) is stored within your organization?
- Do you have mechanisms in place to allow you to quickly erase an individual’s personal data across all relevant marketing databases if requested by the individual?
- Do you regularly review and delete personal data records that are no longer in use?
Using Data Brokers and Outsourcers
- Do you regularly review the data protection and consent policies of your data brokers or teleprospecting outsourcers?
- For purchased lists, do you obtain consent from those individuals before permanently storing and using their personal data for marketing purposes?
- Do you have safeguards to ensure data security is not breached for your marketing database?
- In the event of a breach, does your organization have a clear mechanism to ensure you are able to notify the relevant parties in a timely fashion? If yes, is the marketing team aware of these processes and know whom to contact in case of a breach?
Help Is at Hand
As you start to discuss these questions within your organization, it’s important to know you are not alone. Your local data protection authority’s (DPA) website is a good source of information and guidance. As a starting point, your DPA can help you determine how well you comply with the Privacy and Electronic Communications (EC Directive) Regulations (PECR) in place today. A list of the local data protection authorities can be found on the EU’s Data Protection Web site.
As an example of the type of help on offer from your DPA, here are two tools that can be obtained from the UK’s DPA, the Information Commissioners Office (ICO):
- ICO Direct Marketing Guide: This guide explains the Privacy and Electronic Regulations (PECR) rules on direct marketing and how they affect lead generation and the use of marketing lists.
- ICO Direct Marketing Checklist: This checklist helps UK marketing teams ensure their marketing messages comply with UK law by offering a quick guide to the different rules on marketing calls, texts and emails.
The ICO also offer support via phone or through advisory visits.