What's GDPR Got to do with Anyway?
GDPR (General Data Protection Regulation); it is the “buzz acronym of the year”. Due to changes in legislation, which will take place at the end of May, this acronym is being flung far and wide across the internet and at networking events.
Social media is awash with posts advising people on how to become GDPR compliant, how to avoid heavy penalties from the ICO and offering horror stories about clients and partners who are well behind the GDPR curve. It’s become a bit like the PPI of the business world (or the millennium bug #2 as someone recently described it).
Thing is, it’s not that new. GDPR legislation has always existed. It just hasn’t been terribly robust. In fact, it hasn’t really been updated to meet the digital era; replacing the 1995 Data Protection Directive, it’s really due a bit of an overhaul.
To put this in perspective, in 1995 I was enrolling in a 4-year university degree, which I completed without once going near a PC, without once sending an email and without once logging into anything other than the university library (I’d scan myself in with a barcode on my matriculation card). Any data legislation written for a time pre-digital is categorically not fit for purpose.
Add to this, the fact that the EU has exercised much stricter control of, data and the exchange of it, for years. The UK is now having to haul itself into the 21st century when it comes to compliance.
So, what are the changes? What does it mean for your business and how the hell can you tackle the mountain you’ve got to climb now?
Here’s what you need to know. And what you don’t...
What is GDPR?
General Data Protection Regulation really just regulates the collection, processing and movement of personal data. It has been designed to give more power to the data subject in terms of what information is stored, where and for how long. A data subject can be anyone from a customer, to a supplier to an employee. The legislation is forcing companies to process data lawfully, fairly and transparently. The changes put in place are to guide a company towards achieving this.
For example, you must now:
- Be explicit that you are collecting the data
- Gain consent through explicit opt-in rather than soft-opt in and in a way that uses plain English
- Have a legitimate reason for the collection (and not use the data in any way that is not compatible with that specific purpose)
- Limit the ways in which you process the data in accordance with your privacy statement
- Ensure accuracy of data
- Allow people the “right to be forgotten” (have their data and associated records removed from system)
- Ensure complete security of the data to prevent unauthorised or unlawful processing, loss or damage
What do I Need to do?
You will have to assess whether or not your current processing meets the new compliance regulations. Conduct a Gap Assessment to review your business processes and systems in relation to the new requirements. As the name suggest, it will help you identify where your gaps are and what you need to do to address them.
You’ll need to update your collateral including your policies, your website and your codes of conduct. Create a strategy for dealing with things like data requests and breaches. Document everything. Keep ongoing records for all your decision making regarding GDPR.
You’ll need to think about how this impacts on your customer relationships. There is no better opportunity from the GDPR changes than the chance to review your relationships. It provides you with an opening to really consider whether your communication with your customers has been on point this whole time, or whether you need to be adjusting your perspective. For example, have you been communicating at them? Or with them? Permission based marketing will undoubtedly reduce the number of people you will be eligible to communicate with, but the ones who opt-in will be of a higher quality and more likely to convert than those who opt-out. Also, you won’t be fatiguing your potential customer base with email after email of needless promotional content. GDPR will force you to think really carefully about your audience and your message. That can only be a good thing for business and for customers. From your own perspective it gives you an opportunity to organically and holistically keep your CRM system “clean”. In the past, the value of a CRM system was measured by the individual counts of data. Not so any more. Clearly the more data you legitimately keep the better, but the emphasis moving forward, has to be on quality not quantity.
Audit (and often). It’s not going to simply be a case of setting up your GDPR compliance rules then letting it run. You will have to review it - reasonably frequently - in order to ensure continued compliance. An annual review (as a minimum) should take into account your new policy, it’s objectives and effectiveness and also the output of the compliance.
You will have to raise the level of awareness amongst all your staff. As well as appointing a data compliance officer, you will have to ensure that all members of staff are made aware of the new legislation and how it impacts on their roles professionally and personally. It’s probably best to consider adding GDPR training into the induction process so that the learning starts as early as possible. Identify all the data handlers in your business and make sure they have some basic cybersecurity training and some in depth GDPR understanding.
You will have to tighten your security. Data loss and theft pose the greatest risk to your business under the new GDPR legislation. You are obliged to inform the ICO of any data breach under the new GDPR rules. A loss could be something as simple as a USB stick being misplaced or data being destroyed or misdirected as well as something more sinister like the theft of a laptop or a hacking event. To prevent loss of theft regularly test the effectiveness of your security. Put a process and controls in place to make sure personal data is being accessed by people with the relevant authority. Review the privacy policy of all new technology before introducing it into your business. Train your staff on basic security practices like password control and phishing identification.
What you DON’T need to do
Don’t rest on your laurels. This is one of the biggest changes to business governance to be introduced in a long time. You cannot ignore it. You cannot pretend it doesn’t apply to you. This is not a time for being complacent.
Don’t panic. Yes, it’s a big undertaking. Yes, there’s so much you need to take into consideration. Eat the elephant one bite at a time. There are plenty of easy wins (like becoming a member of the ICO, taking some basic training, updating your privacy statement). Tackle what you can now, then bring in professionals to help you with the things you can’t. Make sure you are able to demonstrate that you are on the “GDPR Journey” to the ICO and care for your customers.
Don’t underestimate the value of GDPR. Prioritising information security through robust privacy control can only generate confidence in your business. This extends to your ability to fulfil your commitment in other ways such as product and service fulfilment. Business is all about building relationships. Getting it right from the very beginning of the customer journey is the best way to build honest and genuine relationships. By demonstrating value right from the start is the best way to grow your business.
The road might be a long one, but there are plenty of people out there to help you short cut it. If you need some GDPR help get in touch.
Allied Security offer you GDPR compliance training, Gap Assessments and Cybersecurity. Proud to have been serving our customers for over 25 years.
Posted by: Emma Stewart, Commercial & Operation Director
SAP Signavio: Chief Product Owner Process Analysis & Mining
6yGreat article, Emma! Here is what #ByD #CloudERP can offer in the brand new 1805 release