Be Proactive: The General Data Protection Regulation (GDPR)
I've (ghost)written about GDPR elsewhere for clients already, and while there is no shortage of advice around GDPR, I feel it is crucial to reiterate that businesses and individuals alike should get informed and make plans as soon as possible.
Those plans are going to be complex, feature multiple stakeholders, and they will bring around root-and-branch changes across the enterprise. Managing this endeavour will also require a plan in order to make sure the changes stick - but also to show any competent authorities that a proactive GDPR approach is being taken.
Let's keep things as simple as possible for now, and divide those changes into three broad categories:
1) Technical:
An assessment must firstly be made in order to create a map of GDPR risk across the enterprise. Some starters would include the identification of all silos of personal data wherever they are, including any third parties (hosted data centres, cloud apps, etc), and the mapping of the data flows and any data retention rules which may apply. While existing systems will ideally be retained if possible, a governance structure must be put in place in order to assure that any personal data be controlled and/or processed in a compliant manner.
The technical aspect of GDPR is not just about the encryption and protection of personal data, or deploying new software tools, it also concerns the methodologies required to fulfil operations on those data. If you are operating without a risk-based map, a personal data governance structure and a change management plan, there will be a heightened risk of problems after May 25th 2018.
2) Operational / Legal
Since the GDPR works by giving EU resident citizens new rights over their personal data, businesses need to start mapping the customer journeys which are associated with the fulfilment of those rights.
How would your business handle a sharp uptick in the number of subject access requests? Will your customer service reps know what to do? How would you cope with a deluge of requests for personal data portability, or for data erasure? Will you be able to respond adequately, and within the recommended time period of 30 days?
On the legal side, it is quite likely that a review of your Terms and Conditions, as well as the T&Cs of any third parties you use, will also be necessary before GDPR comes into force.
3) Marketing & HR:
In most businesses the HR and Marketing functions hold significant quantities of personal data. Under GDPR, the need to protect your own employees' (and even ex-employees') personal data and to establish proper governance of these data is paramount. Losing your own employees' personal data would have to be reported to the ICO within 72 hours of any breach, just the same as any other category of personal data.
Where Marketing is concerned, I believe that there is a window of opportunity for businesses to avoid problems after May 25th 2018. Let us suppose that Marketing own a large database of names. Among the key questions are: How was that data collected? Do you have records of individuals' consent to data retention? Do the records show that consent was obtained in a way which was specific, active and informed as mandated by GDPR?
If you cannot prove that personal data has been lawfully collected to the standards required by GDPR, then you will not be able to use that data after GDPR comes into force. Businesses should acknowledge that a proportion of their marketing database might have to be erased as things stand, and that taking action sooner rather than later will minimise this proportion. I cannot recommend enough that action be taken today to go about re-obtaining proper consent from the marketing base.
The Salvatore view is that businesses should design a 'Marketing Campaign for Marketing Campaigns'. In other words, use the existing Marketing mechanisms to start building trust with the prospect database around personal data. By being proactive, upfront and straightforward, your company's enlightened approach to personal data will be appreciated. This is the only way to obtain the necessary informed consents and proofs while at the same time minimising risk and building engagement.
I'd love to hear from you if these points strike a chord, and if you would like to start making, or enhance your plans for GDPR. Click here to get in touch or via rafi@salvatore-consult.me