How to Make a Data List GDPR Compliant
The General Data Protection Regulation aims to increase the level of control individuals have over their personal data. It will be replacing the current Data Protection Act and is applicable regardless of the EU referendum in the UK. With the 25th May coming ever closer, companies are becoming increasingly proactive with cleansing and preparing their data. More is being done to become GDPR compliant before the deadline. With heavy fines in place for breaches, companies cannot risk letting their data just sit around.
If you hold data and do not really know what to do, this post is here to help. It is essential that any personal data you hold is both cleansed and compliant before May. This includes business data as well as consumer data.
However, how do you actually make your data GDPR compliant? Depending on the data list in question, what it holds, how you collate it etc, the answer varies.
This post therefore is here to shed some light on the processes involved in data cleansing and compliance. We will show you step by step how we cleanse both our own data in house, and our client’s data so that it is marketable. We work with many clients and take their raw data and then work our magic to give back a workable marketing database that is GDPR compliant.
1- The Raw Database
The first thing we will always do when we receive a data list from a client is validate it. What we mean by this is that we ensure each field conforms with the appropriate header.
You would be surprised at the amount of data we receive where there are email addresses in the telephone number column and vice versa. It can be simple human error from the data processor or the individual who submitted their data that leads to these errors. However, to market with data without undertaking data validation first can lead to more undelivered messages. Our in house data bureau work with data every day of every week and can make this a simple and quick process for you.
2- Normalised Database
Through validating the raw database, we can determine its current state. From here, we then cleanse the data. We remove/highlight any errors such as short telephone numbers, incorectly formatted email addresses (missing domains, @ signs etc.), missing names, incomplete postal addresses etc.
From there, we run the data against a number of files including, but not limited to, the following:
- Mortality/ Bereavement Files
- PAF Validation
- Gone Away Surpression
- Email Gone Away Surpression
Running the data against these files helps to identify records which need updating or in some cases, removing. Depending on the data list in question, we may also be able to append additional information. Certain contact methods such as email addresses, telephone numbers, postal addresses may be able to be appended to the data list. Alternatively, for business data lists, it may be possible to append company information such as employee banding, turnover banding, or SIC codes to add further value to the data list. This improves targeting as the more you know about a record, the more you can determine whether your business will be of interest to them.
So not only does this process bring the data up to date but it is possible to enhance it in certain circumstances. This helps the data meet compliance standards. Under GDPR, any data you hold must be as accurate as possible. You achieve this through regular data cleansing cycles. This also helps open the doors to marketing methods that may not have been available beforehand.
3- Standardised Database
The next step in the cycle is where GDPR rules on processing personal data come into play. Under GDPR, you are able to rely on one of the following six lawful bases to process personal data. We should note that you need to ascertain your basis before you process any data. You must also keep a record of this for compliance purposes.
- Contract from an individual
- Compliance with a legal obligation
- Life or death interest
- Public tasks
- Legitimate Interest
Of the 6, one of particular note is legitimate interests. Under this guideline, you are able to process an individual’s data if their data will be used for purposes that are seen as in their legitimate interest and in ways that they would reasonably expect. However, to rely on legitimate interest, you must undertake a legitimate interest assessment (LIA). This will help identify and remove any records that are not appropriate for your marketing. This prevents problems from occurring down the line.
Impact can undertake these LIAs for your business if we find that legitimate interest is the appropriate basis to rely on. It is worth noting that it will not be the most appropriate course of action in every circumstance.
Alternatively, if you require consent for marketing, it must be explicit. Previously we have written about opt-in statements and how they will need to change. An opt-in can no longer be hidden away in your terms and conditions and cannot be pre-ticked boxes. The individual must explicitly state that they consent to marketing.
4- Workable, Compliant Database
Once the above steps have been complete, you will have a clean, GDPR compliant database that you are able to use for your marketing. In some cases, it may be possible to add further records to an existing database. Any additional records will also be GDPR compliant. It is essential that you keep records of your processing methods.
Regulatory bodies require businesses to be able to show their processing methods. Individuals also have a right to see how their data is being processed and what businesses hold on them. Therefore, with LIAs, you must keep them in your system to call upon, if a regulatory body requests to see them.
Regular Data Cleansing is Imperative
Data can change within days. People move house, change job, companies close etc. Therefore, you need to ensure that you regularly cleanse any data you hold. Not only will this maintain high quality and accuracy which improves performance. It will also ensure you remain GDPR compliant. We would recommend you implement a 28 day cycle for cleansing your data. This will keep on top of any changes and opt-outs and will ensure you do not market to any non-compliant records.
Businesses cannot afford to sit idly by and let their data remain untouched. GDPR bring heavy fines for breaches. Furthermore, each individual has the right to know exactly how their data is being used and by who. Therefore, ensure that you keep records of all your data processes in order to meet compliance. Regulatory bodies may also request to see these in the event of any complaints.
Under the GDPR, you must appoint a DPO if: (this does not necessarily have to be in house and can be a third party if preferred)
- “You are a public authority (except for courts acting in their judicial capactiy)
- Your core activities require large scale, regular and systematic monitoring of individuals (e.g. online behaviour tracking) or;
- Your core activites consist of large scale processing of special categories of data or data relating to criminal convictions and offences.”
If you hold any personal data, it is not all doom and gloom, despite what you may have seen from other companies. Through the right company, you are able to both cleanse your data and make it GDPR compliant.
Impact Marketing have an in-house data bureau with data experts that know how to improve your data quality and make it GDPR compliant. Alongside this, we manage a range of business and consumer data lists that can be used for your marketing campaigns. We also offer a data cleansing service if you already hold data.
For more information, get in touch today and we will be happy to advise further on how we can help your business.