what is gdpr and why does it matter to me?
TRANSCRIPT
What is GDPR and why does it matter to me?
[email protected]@sgarcia421
Stephan GarciaCRM Manager, Digital Catapult
So what is the GDPR…
The General Data Protection Regulation25th May, 2018The GDPR is characterised as wide-sweeping data reform that brings power back into the hand of the individual.
• Awareness• Consent• Control• Responsibility
…and why does it matter?
Data Protection
Data Protection Through the Years
1984 – Data Protection Act1987 – Access to Personal Files Act1995 – EU Data Protection Directive1998 – Data Protection Act (DPA)2001 – Windows XP2003 – Privacy and Electronic Communications Regulations (EC Directive) 2008 - iPhone
A Brief History
(1997)
The BIG Difference
B2B vs B2CHistorically, it has come down to interpretation as the enforcement in the B2B world has always been lacking.
Personal Data
Personal data means data which relate to a living individual who can be identified –(a) from those data, or(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.Source: ico.co.uk
The Problem
CRM is DRIVEN by Personal DataHow do you fight the theory that “If it doesn't exist within salesforce, it doesn't exist”
Customer Relationship Management
As Salesforce Professionals, we must start changing the way that we think about data.
The Problem
“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”
Customer Relationship Management
Awareness
There are two things every website has in common, a Privacy Policy and Terms & ConditionsIt is imperative that your data processing is outlined in both of these! Salesforce is not exempt from this!
Make sure that your customers know how and why you are using their data! When asked why you’re collecting any piece of information, you need must be able to provide a reasonable explication.
What can I do? • Gather your stakeholders together and review your Privacy Policy & Terms & Conditions• Create a “Data Story” that enables you to explain the way that data travels through your organisation• BONUS TIP! Make sure that that this story has an ending!
Transparency is Key!
AwarenessTransparency is Key!
More Info: http://bit.ly/DigicatPDR
POC: Personal Data ReceiptsTreating personal data submissions as transactions• Increased visibility of data practice• Multi layered opt-in• Accessibility
Consent
Pre-ticked checkboxes are a thing of the pastThis is defined in the regulation, you must have explicit consent from the individual
Recording of ConsentYou must keep a thorough record of when/when consent was obtained
What can I do? • Get rid of any pre-ticked checkboxes!!!• Make sure you store the source of the opt-in and date on every level of opt-in.• Review your data and make sure that you have a general idea of the source of opt-in as you aren’t required
re-request this information as long as you are comfortable that it was not obtained illegally.
“Explicit Consent”
Control
The Right to Be Forgotten The broad principle underpinning this right is to enable an individual to request
the deletion or removal of personal data whether there is no compelling reason for its continued processing.
The Right to Be Forgotten
Control
The Right to be ForgottenAny Individual has the right to have their data erased, without undue delay. This applies when the use of the data is complete(eg. ending of service agreement) or when was collected or processed unlawfully.
Subject Access RequestsSimilar to the Freedom of Information Act, this requires you to promptly disclose any information you have on an individual. This must be via electronic communication and completed within 30 days. This has existed in the past, but was at a cost.
What can I do? • Make sure you know where all personal data sits within Salesforce as well as discuss with your team where
other data might sit around the business. • Create a checklist that enables you to track the deletion of data• Create an easy way for your customers to request their data and/or erasure
The Right to Be Forgotten
Responsibility
The Data Processor, eg. Salesforce, is equally responsible as the Controller(you)The processor must provide guidance and education to their users to make sure that best practice is being followed.
Protection Impact AssessmentsThe ICO has a right to request proof that an PIA has been completed
Protection Impact AssessmentsInfringement of the following GDPR provisions are subject to administrative fines up to €20,000,000 or in the case of undertakings, up to 4% of global turnover, whichever is higher.
“But Salesforce made me do it!!!”
Resources
The ICO – 12 Steps to Prepare Yourself for the GDPRhttp://bit.ly/ico12steps
ICO – Guidance for Consent (more to come)http://bit.ly/icoConsent
ICO - GDPR Overviewhttp://bit.ly/icoGDPRoverview
Trust the ICO
Thank Y u