We hope you have the date 25 May 2018 written in large letters around your offices. That is the date when the General Data Protection Regulation (GDPR) comes into force. If you have been delaying policy and process implementation, there is no time to lose. You may be compliant with the European Data Protection Directive of 1995, or the Data Protection Act if you are based in the UK. However, you still have plenty to do to meet the new and stringent requirements of the GDPR. What is more, if you are not based in Europe or the United Kingdom, you are not exempt; the growth of the Internet has made this regional regulation a global governance.
The Aims and Objectives of the GDPR
While on the surface, the GDPR seems to be all about data provided by individuals, in reality it is about the protection of human rights by protecting access to a customer’s data. Many companies have accumulated data about a person without paying attention to the importance of that data to the customer and the need to keep it safe and private. The GDPR changes all that:
- There must be a single view of all the data for the customer held by the company.
- Data may only be collected with permission from the customer; all those tick boxes asking you to subscribe to emails and marketing information must be blank.
- The customer has the “right to be forgotten” – it must be possible to delete all data related to a customer on request. He can also request that his data is transferred to another organisation.
- The data must be secure and protected.
- In the case of a data breach, there is a window of 72 hours within which the authorities must be notified.
- Non-compliance carries heavy penalties. We are talking of a fine of up to 4% of last year’s global turnover or €20 million, whichever is greater.
- Companies that process and/or transfer large amounts of sensitive data will need to appoint a Data Protection Officer.
There are very few companies that handle personal data that will not have to make some changes to comply. A survey by the IAPP (International Association of Privacy Professionals) and Ernst and Young conducted in late 2016 found that only 3% of respondents were not affected by the GDPR; 80% stated that they were affected and were making changes and 16% did not know – we hope this last group has made it their business to find out!
How this Affects your Business
While there will be a need to review your personal data and cybersecurity policies and processes, it is likely that your major effort will be directed towards better data management. Even if you have a comprehensive customer relationship management application, will you be able to collate and package all your customer’s emails, Facebook entries, invoices and Continuing Professional Development (CPD) points at the touch of a button? The short answer to this is “probably not”. What you will need is to identify all the possible data silos where your customer’s data resides and both map a process and automate it to make the retrieval of data as painless as possible, both for your company and your customer.
Improved data management is not the only hurdle you have to overcome. Here is a simple roadmap to navigate around the GDPR roadblock.
Formulate a strategy that covers all the risk points to be addressed. This includes:
- Revisiting your policy on the acquisition, maintenance, use, retention and removal of personal data. Make sure that all customer touchpoints along your value chain are addressed. Give special attention to customer acquisition, where the client now must explicitly give permission to you to obtain and use their data.
- Identify the different places where data exchange can occur, and what data is obtained from the customer. This includes marketing, sales, service and your various social footprints, from your website to Twitter and Linkedin groups.
- Optimise all your processes where there are customer touchpoints. You have already identified the touchpoints when reviewing your policies. Ensure that business rules are applied wherever there is an exchange of data. You need this to be done before the next point, but if possible, try and tackle both tasks simultaneously.
- Appoint a task team to conquer the disparate customer data Give them a brief and non-negotiable deadline dates. You have about 200 working days left.
- Start a training and awareness program for everyone in the company. By the time May 2018 rolls around, no-one must plead ignorance.
- Attend to your cybersecurity infrastructure. there are 5 points to cover, namely:
- Your cybersecurity policy, with respect to client data and client data privacy.
- Your processes for securing data.
- Possible acquisition of more robust security applications.
- Your ability to monitor and report on cyberattacks, like Wannacry. Remember, you have only 72 hours to report a breach, so you need early warning alerts.
- Your staffing resources. You may require a Data Protection Officer (DPO), depending on the volume of personal data you store and transfer. We all thought being a data scientist was the cool new job. Well, think again. The IAPP found that there was a requirement for 28 000 DPOs in Europe to cope with GDPR.
- Ensure that performance agreements and balanced scorecards are updated with the required responsibility and accountability for all levels within the organization.
- Prepare for a proof of compliance – run mock audits to see that all bases are covered. You can expect real audits on a regular basis after May next year. The only way you can be confident that you will pass an audit is to conduct at least one yourself.
- Infuse some fun by having a GDPR graduation celebration both to acknowledge a successful project and to remind everyone that GDPR is coming soon.
There is a lot of work to be done, and it will place strain on everyone in the company, but the problem with compliance is that it is non-negotiable. It may be wise to bring in some consultants who have experience in making this transition. Firstly, it will remove the need to re-invent the wheel and secondly, some of the workload can be placed on their shoulders. The implementation of GDPR is not only pain, it does bring rewards in that it improves trust between your customers and the company, and the improvement of your security will make everyone sleep better at night.
Whatever you do, please do not delay another day. Time is tight – if you need a DPO you are competing with 28 000 other companies, so you will probably need to train someone in-house. You will probably need some app development to find and collate customer data, for situations where the customer wants their data to be ported or deleted. We hope that by next May, you will be confidently in charge of your GDPR compliance.