The EU has created a new data protection law The General Data Protection Regulation (GDPR). It is intended to provide one data protection law across the EU, this will mean that organisations are required to demonstrate consistent data protection compliance. The UK Parliament has already said that Brexit will not affect the GDPR non-compliance. In other words, when the UK leaves the EU, we will still need to demonstrate compliance to GDPR. I wanted to give our customers and new prospects a guide to GDPR. For those regarding GDPR and Microsoft Dynamics 365, Microsoft has offered great resources which can help you on your GDPR journey.
Keep reading for the exciting updates from Microsoft on GDPR. First let’s discuss the law, the data, and links to key pages and resources from the ICO that I have found useful.
Enforcement of GDPR will commence on 25th May 2018.
From today’s date of 8th November 2017, that is just 197 days until GDPR comes into effect.
For those who work a 5-day week, that’s about 140 working days.
There are 6 key principles in GDPR:
- Requiring transparency of both handling and use of personal data. This means you will need to inform the person what you intend to do when processing data. For more information see article 5.1(a).
- Limiting personal data processing to legitimate purposes; data can only be used in the agreement that the person has given when consenting. See article 5.1(b).
- Limiting personal data collection and storage to intended purposes which is about data minimization so only keeping the minimum amount of data required, see article 5.1(c).
- The accuracy of data including ensuring it is correct and its deletion as appropriate. More information can be found in article 5.1(d).
- Limiting the storage of personally for as long as necessary therefore data that is no longer needed or falls out of a reasonable length of time should be removed see article 5.1(e).
- Ensuring personal data is protected using security, providing integrity and confidentiality of data processes handling data see article 5.1(f).
PECR is the Privacy and Electronic Communications Regulations and works alongside GDPR. It covers:
- Marketing by electronic means, including marketing calls, texts, emails, and faxes.
- Security of public electronic communications services.
- Privacy of customers.
- Some of the rules only apply to organisations that provide a communications network or service. PECR will apply to you if you:
- market by phone, email, text or fax;
- compile a telephone directory (or a similar public directory).
The enforcement and fines are a huge consideration for businesses. The scale of the fines is a big change. Minor breaches could see fines of up to €10m or 2% of turnover whichever is bigger, and consent breaches up to €20m or 4% of global annual turnover, whichever is greater.
Whilst these fines are considerable the law is about putting the consumer and citizen first. UK information commissioner Elizabeth Denham has said that “issuing fines has always been, and will continue to be, a last resort.” Denham confirmed that “the ICO will have the power to impose fines much bigger than the £500k limit set by the Data Protection Act… but it’s scaremongering to suggest … that maximum fines will become the norm.” Read the full interview from Computer Weekly which I found here.
For our customers, or those looking at CRM solutions, there are steps that you will need to take to ensure compliance. Here is a list of what we have focused on here at Caltech IT Limited, but you will need to ensure your own compliance by reviewing the legislation or see the ICO website for more details.
Data Quality for GDPR in Microsoft Dynamics 365 / CRM
- Ensure your data is correct – this is broad but needs huge consideration.
- Standardise records as much as possible, ensure the spelling is correct, dropdowns are used when possible.
- Duplicates – deduplication and merging. Duplications of data can cause huge problems when it comes to GDPR as the consent may differ on both the personal records. These need to be captured and corrected as soon as possible. Merging records in CRM solutions can be achieved by clicking the wizard buttons but does need some input.
- Identify and deactivate old records. Within the new GDPR law is the “right to be forgotten”. The ICO outlines 6 different scenarios but for this purpose, we can focus on “Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.” Please also see the timescales the ICO refers to of keeping hold of information.
- Validation – ensures that data is correct by checking addresses and phone numbers. Again, a time-consuming job but valuable within the GDPR guidelines.
- Enhance data – add missing information. For example, are the counties in the same format across your system? Can you use your data in the best way possible? Bear in mind that GDPR also says: that data should only be collected for specified, explicit and legitimate purposes and cannot be processed if it isn’t in-line with those purposes.
- Suppression records – consent records have they given permission, what channels are these? Is your CRM system set up to capture the consent explicitly?
GDPR Consent good practice for CRM systems
One of the biggest changes for organisations, when GDPR comes into place, is the double opt-in. All leads, prospects, suspects, AND customers must be double opted-in. AND the double opt-in must be provable.
- Start warming up your leads asking for consent using double opt-in. Any leads that have consented to receive marketing material using soft opt-in will no longer be viable. They all need to be double opted-in.
- Get in touch with your customers asking for consent – ensure it’s provable.
- Set in place a process of how new contacts visiting your website will be captured with double opt-in for further marketing communications. The contact form will need to take them to a confirmation page where they can give their consent and then you will need to prove who they are as well by sending a further email with the consent. Hinge it to the email address.
- Pull together a strong opt-in message. Getting the message right is crucial: I really liked this blog from Econsultancy Ben Davis offering advice and working examples.
- One key consideration for GDPR is cold calling. It is crucial that email and SMS marketing channels are opt-in. Post, fax, and calling are all opt-out.
You can use your CRM solution to ensure double opt-in.
Here are some ideas if you use Dynamics 365.
GDPR and Dynamics 365 using ISV Click Dimensions
You can invest in Click Dimensions. This system is a one-stop marketing automation solution which is only available from Dynamics 365. See here how easy it is to set up double opt-in with Click Dimensions for GDPR and Microsoft Dynamics 365.
MailChimp and WordPress
If you have a WordPress website and a MailChimp ESP account, you can double opt-in using forms and then set up the opt-in using MailChimp. This is an affordable way to achieve the consent. We love MC4WP premium. PowerMailChimp will enable you to capture the suppressions directly within your data enabling you to ensure that you are compliant.
Use your Dynamics 365 / CRM solution to ensure that you capture the consent and opt-outs. You will need to know:
- Who has double opted-in to email marketing
- Who has double opted-in to SMS marketing
- Who has opted out
- Who has not given consent
And so on. If you consider your data flow then you can map out the exact requirements and ensure they are tick boxes in CRM. Using workflows will ensure that they are updated properly.
GDPR and Microsoft Dynamics 365 Update including free resources from Microsoft
For those of you using Microsoft Dynamics 365, Microsoft has confirmed:
Read more in their whitepaper from Microsoft “Beginning your GDPR journey, accelerate GDPR compliance with the Microsoft Cloud.” This way to Microsoft.
Microsoft has also offered an assessment tool which is useful for all types of organisations. Download your GDPR Microsoft Dynamics 365 assessment tool from the Microsoft page here.
We hope this helps but please let us know how your GDPR plans are going. Will you be ready in time. The clock is ticking…