gdpr next steps

GDPR is live, what’s next?

In the run-up to May 25th, it seems to me that most companies focused all their efforts on ensuring GDPR compliance on the consent and contracts fronts. Assuming these are now sorted, you now need to make sure that the personal data that you hold about your customers and prospects, is accurate and up to date. After all, although the Information Commissioner’s Office doesn’t expect everyone to be perfect by now, they have stressed the importance of demonstrating continuing efforts to achieve full compliance. As Richard Sisson, senior policy officer at the ICO says: “You can’t forget about GDPR and it’s done. It’s an ongoing thing.”

He expanded on this by saying “We are trying to reassure people that if you are trying to do the work that you can to comply, if you are working towards the accountability principle and ensuring you have records of what you’re doing, and you can show that you are working towards compliance – we may not be entirely happy all the time, but we will take those things into consideration. We understand that. We’re not going to be issuing huge fines on 25th May.”

But if you aren’t sure how accurate and up to date your data is, it won’t be! And you need to start doing something about it now. As the Chair of the EU Article 29 Working Party Isabelle Falque-Pierrotin said, “This is a learning curve and we will take into account, of course, that this is a learning curve… but it’s important that you start today, not tomorrow. Today.”

There are two key things that you need to focus on to start with:

  • Making sure that you only communicate with your customers using accurate and up-to-date data. This will minimise the numbers that are prompted to contact you to question what data you have on them and maybe lodge a Subject Access Request.
  • Being able to respond promptly and fully to Subject Access and erasure requests (Right To Be Forgotten).

An accurate and current Single Customer View is essential to have full confidence that you’re meeting your data compliance obligations – but this can involve not only implementing suitable software to create and maintain this Single Customer View, but also admin work in human review of “grey area” matches – records that might be for the same person but are sufficiently different to need someone to check and maybe dig deeper.

So how do you reduce the chances of data inaccuracies being drawn to the attention of your customers, while showing solid steps taken and scheduled if someone lodges a complaint with the ICO?

  1. Consider a comprehensive, effective audit of your personal data, checking for duplication, out-of-date and incorrect addresses, people who have moved or died, phone numbers on the Telephone Preference Service etc.
  2. Make sure that data for any mass campaign or mailing that you undertake is run through an effective data cleansing solution to fix any problems before it is sent to print or the telemarketing agency.
  3. Take steps to implement a Single Customer View. The best matching software such as matchIT Data Quality Solutions will intelligently grade matches so that the vast majority can be automatically processed: combining duplicate records and linking matching records etc. Then the chances of your customers being aware of a problem are greatly reduced.
  4. While your admin team is reviewing those that got low matching scores to make manual decisions or before you’ve even done the automatic processing, matchIT Web provides a real-time Single Customer View that interrogates all your databases as part of your inquiry function: this allows your users to see all potential matches on the screen when a customer calls in. It also enables a quick effective way of handling Subject Access Requests and the Right To Be Forgotten.

One more thing to keep in mind of course, is that you need to make sure that your customer data is kept secure at all times while you’re on your journey towards GDPR data compliance. Maybe I should add a 5th item to those above: make sure you’ve got a plan for if the worst happens and you have to notify the ICO of a data breach… which could in turn require notifying all your customers. The sooner you have that accurate Single Customer View in place, integrated into the security of your database, the sooner you can be confident that you’re doing everything you can to minimise the chances of a breach – and the easier it will be to notify your customers should one happen.