As 2017 ebbs away and the countdown to May 2018 and GDPR enforcement creeps closer we thought we would share just some of the ways Cygnus can be used to meet GDPR requirements. Here are 5 ways Cygnus users can demonstrate GDPR credentials to data controllers.
1. Help Data Controllers Implement Information Audit Outcomes
Many months ago The ICO published Preparing for GDPR – 12 steps to take now. This guide is a commonly used reference guide to achieving GDPR compliance. After the obvious first step ‘make people aware of GDPR’ the second recommendation is to conduct a data audit.
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
Many data controllers will have either conducted a data audit or are planning to do so very soon. The audit process itself will vary from organisation to organisation, however the outcomes are relatively consistent. Too much personally identifiable information exists on disparate systems and devices and it needs dealing with. Excel files of campaign data, lists of questionably consented leads, versions of CRM backups and lapsed customer data floats around across innumerate laptops and servers.
Data controllers need to determine which data is legally usable for marketing. They need to flag the source, split consented from unconsented data, merge, deduplicate and consolidate many versions of the same file so it can be managed. Cygnus is a practical and capable tool to help these organisations implement these requirements. Consolidating marketing and customer data into a practical and usable format. Forward thinking data services departments and data bureaux should be highlighting to customers how, using Cygnus they can help them implement the outcomes of their data audit and rationalise their data.
2. Saving the Process not the Data
It is good GDPR practice to identify opportunities to reduce the length of time data is held. Both data processors and data controllers should consider updating their data retention policies and holding on to data for the minimum term required for practical use within the organisation. Most Cygnus users will take it for granted that they can save the job settings and the processing configuration separately from the data. Under GDPR this ability to save a ‘template’ job means data only needs to be held for a minimal amount of time, a feature which didn’t go unnoticed by a recent new Cygnus user.
“Cygnus allows us to automatically and securely ingest data from our customer portals, process it and remove it from our systems with minimal human interaction. The ability to easily save the processing job without the data makes it the perfect solution to demonstrate GDPR compliance while actually reducing the time spent on each job.”
Matthew Wennington, Managing Director, FastAnt (Part of Taylor Bloxham Group)
Data processors using Cygnus on behalf of controllers should be demonstrating to clients how they are minimising breach risks by reducing the length of time data is held without compromising turnaround time.
3. Providing a Processing Audit Trail for Each Job
Article 30 of GDPR specifically requires record keeping of processing activities.
Article 30 2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller
The modules within Cygnus can provide individual reports which document the processing activities undertaken. For instance, the suppression and home mover data modules enable the user to create a report of the quantity of records which matched, why they matched and examples of the matches. Full export reports provide full details of the processes within each Cygnus job.
The reporting from Cygnus offers a little more detail than is strictly required for GDPR compliance. The ability to retrieve detailed information about input data, processing tasks and matches for each job could provide invaluable should an ICO investigation or GDPR complaint need addressing.
4. Helping Controllers Demonstrate Compliance
GDPR requires a legally binding contract to be made between the processor and controller detailing how personally identifiable information will be processed. Cygnus contains dozens of features relevant to the pursuit of improved data hygiene and reduction in the risk of unlawful direct mail landing with a recipient. These features should be defined within the data processing contract as a way of demonstrating all of the often ‘behind the scenes’ work that is undertaken to minimise errors in campaign data processing.
While for most organisations perfect GDPR compliance may be more of an aspiration than a reality come May next year, all processors and controllers with access to Cygnus should be able to present a case that compliance was being actively pursued which could likely reduce the severity of penalties issued by ICO should the worst happen.
Systematically cleansing marketing data for goneaways and deceased demonstrates to ICO that the controller is taking steps to reduce the number of unsolicited direct marketing communications being sent. Evidencing new processing techniques such as refining Cygnus deduplication matching rules and flagging mailing preference service hits back to update source contact preferences are 2 other examples where Cygnus features can help demonstrate pursuit of compliance.
5. Maintaining In-house Suppression Lists
Cygnus doesn’t only offer the ability to suppress and enrich contact data using over 400 million suppress and home mover records from the UK’s leading file providers, but it can suppress against internally generated files too. Many Cygnus users have developed in-house, client specific suppression files which are updated at every mailing. When returned mail is captured or a customer changes their mail preferences in a CRM, Cygnus can be used to aggregate this data and flag any new mailings to prevent unsolicited, goneaway or deceased recipient addresses being mailed. The creation and management of client specific suppression and goneaway files demonstrates to the ICO that customer preference information is being handled professionally and attempts are being made to minimise unsolicited direct marketing.
Get Started With Cygnus
These are just 5 examples of how Cygnus can be used by processors and controllers to assist with GDPR compliance. Many forward thinking Data Bureaux and Mail Producers are already finding ways to use Cygnus to assist with GDPR compliance and proactively market these capabilities to their clients. To find out more about the full range of data processing capabilities of Cygnus why not schedule a demonstration or download a fully functional 30-day evaluation.