The final countdown: five key steps to GDPR success
With mere months to go until the General Data Protection Regulation (GDPR) comes into effect, it is dominating the news agenda and is a top priority for businesses. From retailers to charities and the manufacturing industry to financial services, the impact of GDPR will affect every organisation that handles customer data and will be far reaching.
Indeed, it has the scope to change the face of marketing completely. Yet behind the hype, there is much confusion from businesses of all sizes from across industry, which know that they have much to do to comply with GDPR, yet do not know where to begin.
While for many, compliance with GDPR may seem like a huge task, those that embrace it as an opportunity to lead the way in the new consumer democracy and demonstrate a new level of transparency and trust, will be the ones who ultimately win. Although undoubtedly a complex task, GDPR offers as many opportunities as it does challenges.
Understanding the requirements of GDPR is one thing, but being able to translate this into compliance is something else entirely. And of course the larger the organisation, the more complex the process.
With this in mind, what can organisations do to ensure they comply?
1. Map your data flow: conduct an audit
This is perhaps the most important step, and the one which every other element of GDPR compliance is built on. Get the discovery phase right and the rest will follow, get it wrong and the entire process will be beset with problems. By conducting an audit organisations can establish:
- What data has been collected
- Where it is being stored
- Who is using the data
- Why the data is being collected and its purpose
- When permission was granted
- Where permission was granted
As part of this process, businesses can also determine which legal definition they are processing data under. They will also be able to highlight where they may need to go through a re-consent process with customers, which can act as a great way to reconnect with individuals.
2. Examine your privacy policy
Providing privacy information is already a requirement under the DPA, but GDPR takes it a step further. It has a specific emphasis on making privacy notices understandable, transparent and accessible. Best practice here is to explain with each piece of data collected why it is being collected and how it will be used. This will make it easier for individuals to understand and also be repeatedly informed about how their data is being stored and used.
Of course the level of detail needed in a privacy policy will depend on the type of organisation. For a mail order company who just needs to collect names and addresses it will be fairly straightforward, for a large organisation such as Sky, it will be far more complicated.
What remains the same, regardless of the size of organisation or sector, is the need to take the opportunity to help empower customers and build trust. For example, organisations could look to integrate a permissions management dashboard into their privacy policies, which will not only give customers greater control, but will also enable businesses to use data more effectively.
3. Appoint a Data Protection Officer
Having a suitably knowledgeable person or team of people that focus solely on data protection is not a prerequisite of GDPR, but it will hugely help in complying with it and with data management and governance generally.
If there is not someone with this expertise already in the team, then businesses need to act now to train or recruit someone.
Their role will be two-fold, to act as someone individuals can contact regarding their personal data and also to cascade out information about GDPR and data protection across their organisation.
The Data Protection Officer will also be key in helping to gain board level support, as once this is in place then half the battle is already won.
4. Educate everybody
Every single person within an organisation needs to understand the importance of GDPR and that there is a fundamental move within the organisation to treat data differently going forward.
This again demonstrates why a Data Protection Officer is so vital as they will play a pivotal role in ensuring this happens.
As GDPR compliance essentially involves implementing a new data strategy, it is especially important that the board fully understands the impact of GDPR and is on-board with making resources available to implement the changes.
5. Communicate externally
Once everyone internally understands the new data strategy and is aware of the role they need to play, businesses can then communicate their new approach externally.
It is hard to impress how important transparency with customers here is – and not for the sake of compliance with the new regulations, but for the good of the company as a whole.
Complying with GDPR is a massive task, but it also offers a unique opportunity to develop completely new ways of working that are based on the key principles of trust and transparency. If customer experience is the battleground of the future, then data is key to winning the war and GDPR is the perfect opportunity for businesses to rethink their approach to data and the enhanced customer relationships and experiences it allows.