10 tips to make sure your business is GDPR compliant

The introduction of the General Data Protection Regulation (GDPR) on 25 May will radically change the way the live music industry can use the personal data of its European customers.

The new law will considerably strengthen the rights of individuals to control how their data is handled, and will mean companies are under far greater regulatory scrutiny about the use of data entrusted to them. Get it wrong and organisations could face fines of up to 4% of global turnover, or €20 million, whichever is the lower, and could result in customers demanding that all the data held on them is deleted.

Chris Austin asks Giles Watkins from the International Association of Privacy Professionals (IAPP) for ten tips on how businesses can best prepare for GDPR…

Appoint a data protection officer
Every business that processes personal data should have someone in charge of data privacy who is familiar with the law and can lead the organisation through the GDPR requirements. However, for some organisations, this will be mandatory. They will need to be given a budget and the necessary authority, and should report directly to a senior executive who can make sure things happen efficiently.

It will not be easy to find someone with the appropriate skills and qualifications, who knows both the relevant privacy laws and how to apply them to business processes, while also making sure full advantage is taken of the opportunity to engage more deeply with customers.

A data protection officer is a mandatory requirement if you are regularly or systematically processing large volumes of personal data. A lot of live music industry organisations will fall into that category. The IAPP has conducted research that suggests the GDPR will result in the need for 75,000 additional privacy officers, worldwide. Currently, there is a massive skills gap in the market.

If one is appointed, their name must be registered with the regulator and they must have the freedom to report directly to the regulator without fear of any disciplinary action or other recriminations.

It will be possible to outsource the mandatory data protection officer role, so we will doubtless see huge growth in companies offering this service.

Be upfront and transparent with customers about the way you use their data
Profiling and the use of digital technology to target consumers with offers and messaging provide many advantages for both companies and their customers but it is important to be transparent about how data is gathered and used. If consumers become unnerved by the way their data is being used, the reputation of the organisation using it can be very quickly destroyed.

Invest in training
It is vital to invest in data privacy training across the company, the main reason being that there is no quick fix or silver-bullet technology solution that you can put in place to ensure your business is GDPR compliant. It comes down to people knowing what they are dealing with, knowing how to handle the data, and what they are allowed to do with it. They should also know when and who to ask for help.

The entire workforce should get some level of basic training and it will be necessary to customise training for certain departments within the organisation, such as HR or marketing.

It is vital to get the right training strategy in place as soon as possible.

“If consumers become unnerved by the way their data is being used, the reputation of the organisation using it can be very quickly destroyed”

Invest in technology
There are a number of companies offering technology that can handle key aspects of data privacy, particularly data consent management. There are numerous rules within GDPR about what valid customer consent looks like. GDPR has made it much tougher, so people are increasingly using technology and tools to make that a less intrusive process for customers and a much better managed process for companies.

Also, to keep the data stored, organised and managed, you need some kind of technology platform to help meet with the requirement to maintain records of data-use and related risk assessments.

Create an accountability network
The GDPR formally introduces the concept of accountability, i.e. being able to demonstrate that you are taking your data protection responsibilities seriously. Having a formal framework for the day-to-day management of privacy within the organisation is one way in which you can demonstrate this. Having some clear organising principles around privacy helps ensure staff and business partners recognise and understand what the rules on processing personal data are. Clear and consistent rules also help increase the efficiency and minimise the cost impact of GDPR compliance.

Create a proper data inventory
It would be advisable, and for many organisations mandatory, to create a register of the personal data you hold, where it is stored within the organisation, and where it flows to, because without proper data mapping you cannot really assess the risks around the data you are collecting and the way it is being used.

“Clear and consistent rules also help increase the efficiency and minimise the cost impact of GDPR compliance.”

Create a system to deal with data breaches
Previously, there has not been a mandatory requirement in the EU to issue data breach notifications but, under GDPR, organisations must report breaches to the regulator within 72 hours.

If you have a breach, it is important to have a process in place to deal with the ramifications. Your communications team needs to be involved and the CEO informed, as it is a serious issue. If you do not have a process in place that you can switch to, there is a good chance you will not meet the deadline, and not meeting the deadline puts you at serious risk of a huge fine. In extreme cases, regulators also have the power to suspend a company’s processing activities subject to investigation, and consumers will potentially be able to work together to bring class actions.

Prepare for cross-border data movement
You have to have permission to move data from one country to another. It you want to move data out of Europe to another country, such as the United States, you have to have a mechanism in place to make sure that the transfer is legal.

Conduct privacy impact assessments
It is mandatory under the GDPR to undertake privacy impact assessments if you are processing data that could present a high risk of harm if things go wrong. The GDPR does not define the harm or high risk, but if you are processing a lot of personal data it is worth undertaking privacy impact assessments because if something does go wrong, an assessment is one of the first things that a regulator will ask to see. In theory, a regulator can drop in at any time and ask to see assessments and other evidence that you are taking your data protection responsibilities seriously.

“It is important to consider and be aware of what these rights could do to your business model.”

Assess how the new consumer rights will impact your business model
EU citizens will have enhanced rights under GDPR, including the ability to access and make corrections to any of the data you hold on them. They can also request a copy of all of the data you hold on them, in a form that they can easily pass to others. Consumers will also be able to object to some or all forms of processing or profiling including them being targeted with recommendations based on their previous concert ticket purchases.

Consumers also have the ‘right to be forgotten,’ meaning they can request you delete all of their data. Deleting all of a customer’s data is not as easy as it sounds, organisations will need to know where every element of the data is stored.

Another key consumer entitlement is data portability, for example, a ticket agency may find a customer insists they move all their data, all the history and profiling that has been done on them, to a competitor.

It is important to consider and be aware of what these rights could do to your business model.

Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.