GDPR: a common sense approach.
Brad is cleaning our data to ensure we are GDPR compliant.
GDPR: A common-sense approach. In reality, under GDPR, explaining how and why you deleted data will probably more important than identifying the data you hold.
A pub chain deleted all its customer data and deleted all its social feeds. Whether you know or not who they are is irrelevant. Anyway, a simple but effective way of dealing with GDPR and not ending up with the data wooden spoon.
For many companies, deleting the customer data would be akin to committing business suicide. Other companies would do well to consider whether the time they spend on social platforms is money well spent…
So GDPR is the art of being single-minded on only keeping the data you need to keep your customers happy.
Asking your customer to opt-in will elicit the same response as asking turkeys to opt-in for Christmas. They might know or not know about Christmas, but they will wonder what they are letting themselves in for.
Avoid the ‘opt-in’ approach unless as a last resort.
Your existing customers have effectively done a ‘soft opt-in’ as a result of the business relationship they have already voluntarily entered into: they understand you need some basic data to fulfil their order. You still need to reach out to them though and let them know about the new rules of the game: you only hold the data necessary to fulfil their order. You will delete the data when you do not need it anymore to honour the warranty, for example. They have not ‘opted in’ as such, they understand that, in order to fulfil their order, you need specific information. It would be difficult to explain why you need their age or why you have their card details on your system…
All the customer data associated with orders that are no longer current must be deleted. If you manage to get them to subscribe to a newsletter, then their data automatically becomes clean as they have voluntarily engaged in a business relationship, they have asked you to provide a service.
So, are you going to be compliant and avoid the fine? These are two totally different questions. Are you going to be compliant? No. The rules are so complex that it will be easy for any ICO auditor to find non-compliance if they put their mind to it. Will you get fined? If you can demonstrate that you have taken GDPR seriously and that you have put in place processes to not only meet GDPR but also check whether these processes are effective (PIAs anyone?), then you are unlikely to be fined… unless you demonstrate a totally incompetent approach. If you say that all your customer data is held in two databases and an auditor finds boxes of data lying around, then a fine will likely go your way.
If you follow the spirit of the rules, make decisions when decisions have to be made, are able to explain the rationale behind the decision and ensure that an auditor cannot point at data you have either not plainly identified or obviously ‘not thought about’, then you are good to go.
From then on, carry out regular Protection Impact Assessments (the famous PIAs), report in clear by Ragging them, demonstrate progress over time and you will be able to sustain the GDPR drive and have room to focus on other things…
Looking for a 100% proof solution: deploy the ISO 9001:2015 standards.
If you are looking for an original way to clean your data, Brad is your man
He will just argue that his world is more about app design...
Question or challenge? Just reach out: [email protected]












