How do you ensure a GDPR-proof customer base

Five important points of attention

Everything revolves around your (business) customers. The more you know about them, the more accurately you can respond to them and optimize business results. Many companies outsource certain activities within the organization. Think of catering, ICT and facility management. However, customer files and databases are often still managed entirely in-house. How can you be sure that you are handling the customer base correctly and that it is GDPR-proof? As we enter the new year, now is the perfect time to reflect on that!

The current state of affairs regarding the GDPR

The GDPR has now been in force for more than six months; time to make up the balance. The most important result is that almost ten thousand people have submitted a privacy complaint to the Dutch Data Protection Authority (AP). This mainly concerns a violation of privacy rights when more data is requested than necessary. In addition, reports are often made about the undesired passing on of personal data to third parties. Business service providers, the IT sector and government are the worst off.

Five requirements for a GDPR-proof database

You have certainly already taken a lot of measures. Nevertheless, we have listed the most important ones, so that you avoid the above complaints.

1. Obtain explicit permission when collecting the personal data

The personal data you have stored in your databases must always have been obtained legitimately. This applies to both 'standard' personal data and pseudo-anonymous data. Standard personal data are name and address data such as telephone number, e-mail address and date of birth. Pseudo-anonymous data cannot be directly traced back to a person. Think of IP address, user ID and employee ID. You may not use the obtained personal data for other things than what you have requested permission for. As with B2C, in B2B marketing it is mandatory to request an opt-in for commercial and charitable emails. In other words: sending an e-book because someone has requested it is allowed, but sending that person a monthly newsletter is not allowed. The law makes no distinction between personal and business contacts.

2. Draw up a clear privacy statement

It is important that you indicate which (business) data of people you use and for what purpose. The privacy statement must explain exactly and fully what you do with the personal data in plain language. You also point out to people their rights, such as adjusting, viewing and even having data destroyed. That is why it is important that it is clear in your organization which data is actually processed about someone. Also think of B2B and/or B2C data that you place with third parties, such as in your marketing automation tool.

3. Make sure that not everyone can view the customer and employee files

Map out which persons have access to personal data and which rights they enjoy. Install a well-secured connection to the database environment and realize a backup strategy. In addition, it is good to always use secure servers and to encrypt data when sending. To be able to demonstrate that the security measures actually work, you must periodically test them.

4. Draw up a processing agreement that is adapted to the GDPR rules

Do you engage processors? And do they perhaps turn on sub-processors again? Make sure you have insight into this entire chain: where is the data and where does it go? Therefore, always draw up a processing agreement. In it you record the mutual agreements regarding the processing of personal data, such as:

processing on behalf of;
reporting data breaches;
participating in security audits;
the duty of confidentiality.

In addition, the agreement stipulates that the processor is expected to take appropriate technical and organizational security measures.

5. Formulate a protocol for deleting personal data

Classify the personal data in such a way that you comply with the legal retention periods. Then draw up a protocol for correcting and deleting personal data, whereby you also verify whether the person who changes the data has the right to do so. B2B companies should also clearly write down the reason and how long they store a business contact and his data.

A guaranteed safe way of working

Good data is indispensable when doing marketing and sales. At SalesQ we have a database where we deploy people with the right knowledge and skills and apply the most modern software applications. If necessary, we will create a database especially for you, based on various sources. And not unimportant: we are ISO-certified (9001 and 27001), which guarantees a safe way of working!

Would you like to know more about how to properly handle customer files or discover how SalesQ can strengthen your organization? Visit our page on Customer Databases or contact us directly on +31 23 7113200.