Summary of the regulation step
- Develop a process to:
- Receive customer requests
- Remove personal data
- Unsubscribe from own automation
- Unsubscribe from 3rd party email and systems
- Keep a business record, by anonymising emails
- Can not charge for the process
This can be similar to sharing what data you hold, but with the extra step of removal.
We suggest the first step is to start a queue system to log requests. Then timely nature can be followed through and tracked for performance. Allowing 30 days for removal to start with, but seeking to create a process that allows removal "without delay" as the regulations request.
Give the customers the ability to use a web form on your website or when on the phone, or in writing. So that you can be ahead of the request and frame the commitment and expectations.
Removal requests come with the extra need to delete data that staff or other systems might want to use. If it is just marketing then removal serves as simple out-out, but when data interacts with past or current orders, then different legal grounds for holding that data need to be referenced in your Data Audits. Someone waiting for a package order would have there email kept for that business need, but should not allow staying in other systems.
Do you have a GDPR process that you still have questions about?
Send me your thoughts, We can advise you on roadmap steps to production.