The General Data Protection Regulations (GDPR) will have a great influence on email marketing. Recently we mentioned the way in which the GDPR defines personal data breaches and how to recognise them. Let’s look at how to plan for them.
You will need to ensure that your data controller, data processors, and everyone else who deals with personal data, such as your email marketing lists, has a high level of knowledge of the risks of a data breach and is able to recognise one.
Also, everyone in your company who can, for whatever reason, access personal data needs to have a level of knowledge commensurate to their role and level of risk. Such training will ensure that should the worst happen, a breach will be identified quickly, thereby reducing the injury to individuals and your company.
You must ensure that you have plans in place should there be a data breach. Your staff should be made aware of these plans and their individual responsibilities. Due to the need to respond quickly there might not be time for a specifically appointed person to assume their role in the initial stages so everyone who might have to take the role must be trained for it.
The GDPR establishes various levels of incident and your staff should be aware of these. They must know whom they should go to establish whether a breach has occurred and what type it is.
Once it is clear that a breach has occurred you should have a clear system whereby the correct person is informed. Whilst collecting details of the breach is important, the ICO must be notified in most cases by 72 hours regardless of the level of information.
You should consider regular checks on the level of knowledge of your staff, perhaps even running dummy scenarios of breaches. Damage limitation planning can mean the difference between a usable email marketing list and disaster.
Documentation of a breach and the way you have dealt with it is a new feature of the GDPR and we will cover that in a future article.
Useful link: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/