Today, half the world believes that a horde of greedy lawyers will attack the poor entrepreneurs, associations and website operators, who did not prepare properly for the GDPR. We want to make a constructive contribution and show how we deal with the GDPR and meet its requirements. Maybe you'll find it interesting and discover some ideas you can use yourself or for your organization. The main point I want to make, is that you need to deal with the topic professionally and seriously. Fear doesn't help anyone.
Oh, how did we laugh, play, blaspheme, marvel and grumble? Finally it's here: The law that will justify the biggest wave of cease-and-desist orders in Germany... or not.
Interestingly, most seemed to notice only in the last 10 to 14 days that the EU's new general data protection regulation (GDPR) will actually and really come into force. You can no longer simply store all shoe sizes and other "lengths" of customers and website visitors without without asking them for their permission.
Ask me, because I am your customer
If I were to summarize the GDPR, I would do it this way: If the customer explicitly consents, (almost) everything can be done. Explain properly, ask questions and wait for approval. That's what companies have to do. The reactions from the companies who contact me as a customer or user make me partly believe that it is not only American entrepreneurs who don't care what your customers want. The question is never asked. Neither consent, nor rejection is given.
Show us your solution: What we have done
And yes, we had not asked everywhere we needed to. That's why we have been sweating in the last months and weeks and our teams has now built a solution that I would like to present with a little pride. I would have liked to have done it sooner. But in good company, with the rest of the world, we've only just finished. So, there will be bugs to be fixed and problems will occur. As it always does with software.
We have an internal chat group. For weeks we have collected all emails, which arrive here about the GDPR. And that's hundreds. One thing (almost) all mails have in common. It's all just informative. The best thing I've seen so far was a request to confirm my subscription to a MailChimp newsletter. We used that template ourselves.
The fact that the basic requirement of explicit consent is so unanimously ignored by all remains is strange. A wave of cease-and-desist but I still don't expect the world to end. But this may be the reason for the fear of what will actually happen.
Silke's best suggestion was: "We'd better close up shop." This best summed up the mood of a group of staffers who had met for breakfast in the morning. "Fear of job applicants' cease-and-desist letters is rampant..." We could add a few tasks that we needed to do because of this. I don't even want to know how much time other companies have taken to deal with the GDPR.
No identification, no GDPR
An important assumption we made: As long as we do not have any identifiable information that actually allows us to draw conclusions about a person, the new law does not apply. That's debatable. And that is what we have done internally. And I am aware that the term "identifiable" is very flexible. I will not go into our internal discussions right now. Even if the sentence above is not complete, it represents my understanding for this article sufficiently. Where and how did we define the scope?
The request for consent comes from our CRM system
As soon as someone is identified, our GDPR process takes effect. In fact, the simplest form is the existence of an email address. As soon as someone fills out a form, has a chat with us, sends us an email, or gives us a business card and we enter their data into our CRM system (Highrise), they automatically appears in a list. In this list you can set the language of the email to be sent:
This portal is completely internal (and therefore also really ugly 🙂 ). We (currently still I) go through the list manually and categorize the email addresses. We'll keep doing that while things are going well. We still have 30 days to get our customers' approval. I'm looking forward to the first response. If you wish, you can also contact us (in the chat at the bottom right with your email address) to see our process for yourself.
After we've categorized an email address, the next step is where the customer receives an email (hopefully in the right language). There's also a dual-language version. Attractive and friendly? Not really. I hope that we will always get the language right - hopefully with more automation and less manual work in the future.
This is our email requesting consent to store and process data
And then the email goes out to the customer. That's what it looks like right now:
This is the variant with German and English. Actually, as already mentioned, only one language version should be included.
We get on your nerves until we get an answer
Yeah, that's kind of nasty to our customers, too. Because if we don't get their consent, we have to delete their data. You could probably still claim operational requirements - its such a grey area of the law, where nobody knows how far it can be interpreted. We will insist on the consent of interested parties (i.e. those who are not yet customers). We can, because we receive so many inquiries anyway that we sometimes do not know who is really interested and who isn't. Consent replies will make this more visible to us now.
We will even consider calling important customers to get their approval. But not yet.
How the GDPR portal works
The customer can either deactivate their profile or consent to its storage from a link in the email. In the portal itself, you can delete your profile completely or put limitations on your consent. For example, you can allow email, but disable personalized tracking. Or decide whether and which data may be viewed by others (e.g. on the extranet, where our customers can exchange information).
Our customer portal demonstration
Here is my presentation of the portal in a short video:
The following options are available in the portal:
Change the language: You can switch between English and German.
Create an account in the customer portal: Every customer can view and edit their data by creating their own login. The data is already stored with the email and the link. But a true account is even better.
Modify your own data: Customers can view and process the data we have stored about them via the portal. On the page you can also set which data is ok to be exchanged (for example with other customers in our extranet).
Give your consent or revoke it completely: Your consent can be given or revoked in the portal for the storing and processing data as well as for email newsletters, for tracking and for exchanging information in our extranet. In addition, you can deactivate or delete your. Deactivating is like deleting, except that we keep the profile to remind us that you don't want us to contact you. Deletion also means forgetting everything and that means, because we no longer 'know you', we may contact you again.
Specify your interests: We assume we have many contacts who actually want us to get in touch and stay in touch with them. They can tell us which topics they are interested in.
Tell us how you have dealt with the GDPR, or contact us if you have any questions about this article and our solution. We have already answered one question in our Q&A portal (in German) and we look forward to hearing from you.