GDPR checklist


GDPR checklist

Patrick Van Kann

Everyone’s talking about GDPR. But what do you actually need to do? Patrick Van Kann, Technology Partner at Digitas, outlines some key steps that will help you and your company prepare. 

Don’t panic
There’s plenty of GDPR advice out there but it’s mostly about scaring people. Yes, this is serious. But the ICO mainly wants to help companies become good data custodians, respect privacy and use personal data responsibly. We believe they’re more likely to use fines for repeat offenders.

Show you’re serious about privacy
If organisations are taking GDPR seriously, they’ll have a Data Protection Officer, they’ve done a GDPR audit and they’ve started taking steps to improve things. The ICO is likely to take this into account if there’s a breach. It’s about reasonable measures - and what’s reasonable for one organisation may not be reasonable for another.

Assess the risk
Just as organisations differ, recognise that some attract activist attention and they may see GDPR as a great opportunity to turn the spotlight onto you. If you’re a self-employed plumber in Barnsley you won’t be attracting the same kind of attention as a bank or pharma company.

Don’t leave it to the lawyers
If you delegate compliance to your lawyers, you risk creating a process that may capture consent but at huge cost. In one instance, a legal team slapped so many warnings on the sign-up process, the business saw a 75% drop in conversions.

Marketing and legal teams are incentivised differently. Legal departments take a defensive posture. They look at the potential fines and say, “We have to be squeaky clean and can’t have any risk”. Work with your legal department to prevent them crippling your digital marketing. It’s definitely worth considering whether consent is the right lawful basis – legitimate interest may apply for many typical marketing activities. You need to be certain you have balanced your interests carefully against the rights of your customers.

Design for privacy
A key problem is that there aren’t yet established UX principles or patterns for GDPR consent. For example, excessive or intrusive consent requests during sign-up processes may have to be rolled back later on when you realise no-one is providing consent. Get your UX and legal experts together to help balance compliance with usability.

Do no harm – and do no self-harm
GDPR demands a kind of Hippocratic Oath for data: do no harm - to others or yourself. Make sure that you’ve made correct assessment of the real risk and balancing that appropriately - and that you’re not just taking an extreme defensive posture because you could end up harming your digital marketing - and your business - quite badly.

The age of consent
GDPR isn’t just a compliance issue – it’s an opportunity for you to manage an adult and symbiotic relationship with your customers in digital marketing. We need to roll back some of the spooky programmatic stuff, which is what irritates people. We have to have a value exchange where customers see the value in giving up their data and managing their own preferences actively.

Seize the strategic opportunity
The granular permissions required by GDPR should strengthen dialogue with your customers. Once you have a sharper understanding of what customers want, you can segment and score them more accurately. This creates a virtuous circle of preference, where the more relevant you are, the more likely that customers will want to connect to you. If GDPR gives you a better view of your data, it should give you a better view of your marketing.

Patrick Van Kann

Patrick Van Kann

Technology Partner

Patrick van Kann joined Digitas as a Technology Partner in early 2016 to lead on technology for Honda and HSBC. Previously, he spent 4 years leading the technology practice at R/GA in London where he delivered the technology that powered award winning products and platforms for Google, Microsoft, Dyson, Unilever and Beats by Dre and re-engineered the agency's technology and delivery processes globally to embrace agile and lean principles. Prior to that he was Engineering Director for Walt Disney International where he was responsible for mission critical content management, identity and CRM systems used to power web and mobile experiences globally.


GDPR – advice from the DMA