Can you tick our nine boxes to prove that it can?
With GDPR less than a year way, and with a plethora of organisations offering GDPR advice on everything from ‘legitimate interest’ to ‘privacy statements’ , we would like to help by offering what we hope is clarity around one part of the GDPR preparation process.
In our opinion, if your organisation holds personal information, these are nine boxes you need to be able to tick to be GDPR compliant from a technology perspective:
1. Do you hold all the information you have about an individual in one place(we call this the single customer view or SCV), so that you can respond to requests from individuals to see, transfer, amend or delete their data or to change their permissions?
2. Does your SCV make the best possible job of matching individuals across all their identifiers, from email to mobile number. Any information that can point to an individual can be used as part of the matching process.
3. Can you receive and record consents and opt-outs via all the channels though which an individual can communicate with your organisation e.g. from website to post-room?
4. When recording consents or opt-outs can you record the date, the channel through which they were received, and the statement to which they were consenting, or from which they were opting-out?
5. When an individual has provided multiple consents at different times, which may contradict each other, do you keep each consent record separately, and can you derive rules from them which allow or restrict specific marketing activities? (Marketing activities may also include profiling the individual’s data).
6. If the individual has requested that their data is not to be used for profiling, can you in practice prevent that data from being used to derive e.g. segmentation or propensity scores?
7. Can you easily look up an individual’s single customer view (e.g. when they have called into a call center) and then act on instructions to copy, transfer, amend or delete their personal data?
8. When asked to delete an individual’s personal data can you do this both from the SCV and from all upstream systems that have fed the SCV?
9. When deleting personal data do you leave all other data relating to the individual in place so that e.g. transactional data can still be included in sales totals?
If you have ticked all nine boxes, your technology is ready to face GDPR!
If not, would you like to talk to us? To find out how we can help please CLICK. We have cloud based technology ready to support your GDPR compliance