With the EU’s General Data Protection Regulation (GDPR) going into effect on May 25, many organizations are coming to the realization that the time for action has arrived, or may actually have arrived unnoticed many months ago.
For some, marketing is the first to experience this sinking feeling of an impending deadline because of the potential risk presented by all the personal data bouncing around in marketing analytics systems, contact information for leads gleaned from company website campaigns, conferences attendees, third-party lead lists, and so on.
And it may be tempting for marketing to attempt to take the lead in preparing for the new regulation because of this mass of potentially risky data (or, in some cases, marketing may have actually been tasked with GDPR readiness by company leadership). However, any reasonable foray into this space quickly reveals the problem can be a lot larger than it first seemed and likely is larger than marketing alone can address. There are several steps that can be taken.
First, there’s no good way to simply carve out a single department or business unit for regulatory compliance. Data Protection Authorities, which are the supervisory authorities in the EU responsible for investigating and enforcing compliance with the regulation, are going to expect that the entire organization understands what data it’s collecting, how it’s being used, and what measures are in place to ensure that the rights of EU residents are protected. Confining compliance efforts to a single department—even if that department holds the lion’s share of the personal data—may reduce the overall risk, but it won’t limit the organization’s legal liability.
Second, successfully meeting your organization’s obligations requires a broad range of disciplines to truly be successful. One of the first steps in building out a compliance plan is identifying and thoroughly documenting all the organization’s data-processing activities, and then demonstrating a legal basis, such as consent or contractual obligations, for each. The first and second steps of the infographic describe these steps from a high level; however, doing them well requires involving disciplines ranging from engineering to operations to legal, and possibly human resources.
Other departments or business units may also be using some of these resources as well, and their involvement will be crucial to completing an accurate and comprehensive inventory. Coordinating horizontally across all these teams will likely prove a major challenge without involvement from senior leadership.
Third, driving the kind of broad, organization-wide change may require significant updates to top-level policies, and this will require involvement from legal, compliance, and other organizations likely to be affected. If you are transferring data to or receiving data from third parties, those contracts will likely need to be examined and possibly modified, which will again require assistance from legal.
Lastly, it’s not unlikely that engineering work will be required to make changes to the organization’s software and websites, including customer-facing workflow changes, consent collection and management, and other changes that permit customers to view, update, export, or request their data to be deleted.
The message here is that these are all endeavors that typically exceed marketing’s charter—and they are all activities marketing will probably want to avoid owning.
Regardless, with the deadline approaching so rapidly, any plan is better than no plan, and being able to demonstrate commitment and an organized, risk-focused approach with measurable and demonstrable progress will tell a much better story for an organization still working on compliance when GDPR day comes in May.
If marketing finds itself taking point on this important project, probably the best first thing for marketing to do is what it does so well: make the case for the project internally, build consensus and agreement with strong leaders in the organization, and act as champions for the effort. In that way, marketing can enable success.