GDPR: How to get the job done
Complying with the new data protection regulation may seem like an impossible task, but it’s one we all have to get to grips with. Here's some practical steps to take now...
We’re now three quarters of the way through the transitioning period from the old Data Protection Act to the new regulations. There are just six months to go until the Information Commissioner’s Office (ICO) starts applying the General Data Protection Regulation (GDPR). But, are we all ready? Well, I think presently the collective answer would be a ‘No, we’re not there yet’.
I’ve talked with a lot of people about GDPR over the past few months, and in my experience people are becoming more and more aware of it, but also more and more worried about it. Having taken positive steps to find out what’s involved, there tends to be something of a dawning realisation of the scale of the task in hand to achieve compliance, and most specifically to be able to demonstrate that compliance. The more you learn about it, the more it seems there is to do.
I think these fears are not helped by media reporting of the scariest aspects, but these are usually only a part of the full story of transgressions against which the ICO has taken action, which often get reported less objectively.
I’ve seen that arts organisations are concerned but also keen to use personal information responsibly. But perhaps there is a gap when it comes to fully understanding the proactive steps organisations must now take.
Putting audiences at the centre
I think my reaction was probably similar to that of many others who’ve found themselves (willingly or unwillingly) in the position of having to ‘take care of GDPR for the organisation’. It follows a fairly similar process to the stages of grief, I should imagine – first denial (“surely all that’s not really required?”), anger (“that’s completely ridiculous!”), bargaining (“well, maybe we’ll be OK if we just do xyz?”), depression (“really, I can’t do that? I need some gin”) and finally acceptance (“OK. We have to do this. Everybody has to do this. Let’s do it properly.”)
It’s at this point you can move on towards positive progress, to accept the requirements, and perhaps change the paradigm. Rather than worring about the challenges of complying with GDPR, try seeing it as a positive opportunity to focus on audiences, really putting people in control of their personal information, and letting them be clear about how they want to communicate with us – and for us to be clear about how we want to communicate with them.
Long-term positive effects
Many organisations have expressed concern about the potentially large degree to which their marketing lists might shrink if, upon review, they have to either change their legal basis for contacting individuals (from say, ‘consent’ to ‘legitimate interests’), or else go back to their audiences to get them to re-consent in a way that gives the audience more clarity about the ways their data will be used, (detailing which comms channels might be used, for which uses, and which organisations their data might be shared with). That gives the organisation the audit trail of data required to be able to evidence their compliance. Such list-shrinkage may indeed be a result for some. But this might not be such a bad thing in the end.
While we may end up having smaller mailing lists, they will be built up of people who are very likely to be the most responsive, because on both sides of the conversation we’re very clear about what the conversation should be about, and how it should be conducted. The return on investment from the use of these new lists is likely to be higher – and there’s research around to back this up.
Practical steps to take now
It’s all very far from doom and gloom, and the upshot of implementing GDPR compliant practice could be a transformative experience for those who really get it right. But, with just six months to go, organisations really do need to make sure they’re acting now. There is a lot to think about, but it shouldn’t inspire panic. Here are some tips and resources, which could be useful in helping you work towards compliance.
Make a start
There seems an overwhelming amount to get through, which can cause paralysis if you think about the whole job. Think of GDPR as an ongoing process, rather than a mountain to climb against a deadline. The reality is that your data management policy will always need continual attention and review.
So, start somewhere, maybe with your data audit as the logical first step. Ask yourself what data you have and what you need to use it for? Is it necessary for you to hold all the personal information that you do, or can you responsibly dispose of any that you don’t really use? Don’t forget to document the work you do.
Think about your conditions for processing
When you have a clear understanding of what you need to do, and what the data is that you need to do it, decide the legal basis (the ‘conditions for processing’) which allow you to use personal data in the way you need to. If you rely on consent, ask yourself whether the permissions that you have captured and stored comply with the requirements of GDPR, or do you need to further clarify consent with your audiences?
This will be something you want to do sooner rather than later, because if you rely on consent and the permissions you have that are not up to scratch for GDPR, you can’t use that data after 25 May 2018. So you’ll want to get as much right as you can in advance of then to try to limit the shrinkage of your marketing lists as far as you can. Put yourself in the place of your audiences, consider the information notices you give them, to help you understand what they can reasonably expect.
This applies equally if you use ‘legitimate interests’ – how and where have you given people the information about how you will process their data, and how they can exercise their rights to object, complain, and so on. And if you do use ‘legitimate interests’, how and where have you done a balancing exercise to weigh your organisation’s need to process the personal data against the rights of the individuals?
And remember – it’s personal information (e.g. names, addresses, email addresses, telephone numbers, cookies, etc.) from your mailing lists, ticketing systems, CRM, fundraising databases and so on, that you will use for contacting individuals, or to help you decide which individuals to contact, or not, that should be the principal focus. Audience survey data that you collect, if it is anonymous, is out of scope. Don’t forget to document the work you do.
Get helpYou can’t do this all on your own. You will need the support of the board in prioritising the required time, resources and organisation-wide input (and if you struggle to get this, making clear where the liability for non-compliance sits should help).
You will also need the input of your colleagues – that’s everyone who encounters, collects, uses or manages personal information across the organisation – to ensure a holistic organisational approach and to disseminate policies and procedures. Arrange regular opportunities to meet, discuss progress, challenges and solutions. Don’t forget to document the meetings you have and the work you do.
Make use of resources
There is a wealth of useful information out there – and much of it is free. The ICO’s guidance is particularly helpful. There are specific resources such as the Getting Ready for GDPR checklist, and the Preparing for GDPR – 12 Steps to take now guide, both of which are useful start points.
There are also guidance documents about things like doing Data Protection Impact Assessments that include templates you can use to work through. There are more resources emerging about specific areas like consent, automated decision-making and profiling.
The Association of Independent Museums (AIM) has published a useful guide to help small museums understand and successfully navigate the most important things to do now in working towards compliance.
For those organisations involved in fundraising, the Fundraising Regulator has produced useful guidance that will help you to understand your obligations under GDPR and develop a compliant approach to your marketing activities. The Institute of Fundraising has also published helpful guidance on the essentials of GDPR for fundraisers. The Audience Agency has also produced guidance around data sharing that is currently being updated to make sure the new requirements of GDPR are incorporated.
Systematically document your compliance procedures
There are many structured processes you can follow to help you document the work you have done to address and demonstrate your compliance – google ‘Data Protection Policy’, ‘GDPR framework’ or similar and see what comes up. The Audience Agency has produced a free sample data management policy structure document that sets out a staged approach to working through the key areas that you need to consider and documenting them.
If you haven’t already, make a start now and you’ll soon start to see progress being made. Put your audience and their wishes at the centre of your thinking, and let’s see how it benefits our relationships.
Leo Sharrock - Director of Data Platforms
First published on Arts Professional 30 November 2017