The EU General Data Protection Regulation (GDPR) will come into effect from the 25th of May 2018. Irrespective of where you are located in the world, if you collect client data from persons in the EU, the GDPR is now part of your new standard operating procedures.
GDPR is all about personal data and to make sure this personal data is protected from outside attacks. The onus is on the company to prove that they do every reasonable thing to protect their customers’ personal data against misuse – whether you process and store all the data internally, or by engaging a third party supplier or SaaS provider.
What types of privacy data does the GDPR – new data protection regulation – protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
With businesses performing more and more transactions online, as well as managing many of the business procedures online, the need for strong data protection has become a critical component of the overall business process.
As a savvy professional, it pays to understand the compliance criteria in such a way that you will be able to understand and manage the ongoing compliance requirements beyond May 25th. This date only marks the starting point from which we need to be more vigilant in how we manage, store and process our customer’s personal information.
Looking at GDPR from this point of view means that the management requirements for GDPR can be split up across five different phases. These phases coincide with the general lifecycle of a business process and they loosely align with Deming’s Quality cycle: Plan – Do – Check – Act (PDCA for short).
- Plan what you are going to do
- Do what you planned for
- Check / study and analyse the results of what you did in the previous step
- Act accordingly – improve the activities, measurements and expected outcomes.
Phase 1: Recognise the value of GDPR for the overall business
Even though GDPR compliance is mandatory, it still pays to recognise the value for the overall business – approaching the regulation this way means you change your point of view from looking at GDPR as a burden to looking at it as an opportunity that provides value to the overall business.
Example questions you can ask to identify the opportunity GDPR brings to your organisation:
- Does GDPR create potential expectations in other areas that need to be recognised and considered?
- What does GDPR success mean to the stakeholders?
- How does GDPR compliance prevent errors and rework?
Phase 2: Define what GDPR – the new data protection regulation – means within the context of our business
In phase 2 we move from a more generic value-based approach to a more specific business context. What works for one company does not necessary work for a different one, so to avoid the ‘one size fits all’ approach – it’s important to look at the compliance requirements within the context of your company or business.
This approach links GDPR to the business goals and objectives, making it easier to identify cost-savings or efficiency gains of the business processes that deal with personal data.
Example questions to clearly position GDPR within the business context are:
- Is the scope of GDPR defined; what are the boundaries? And is the GDPR scope manageable?
- Is GDPR implementation linked to key business goals and objectives?
- How does your organisation fall under the scope of GDPR? (Especially when your business is outside of the EU)
- Does senior management understand the importance of GDPR?
Phase 3: Measure & analyse how GDPR compliance is currently performed
This phase might be the most important part of the whole approach. With fines of up to 4% of global turnover, the implications of not correctly complying with GDPR are massive.
First of all we need to understand how we can measure GDPR compliance. This means doing an audit on our customers’ data and how we process and store this data.
You can’t manage what you can’t measure, so identifying a way to measure and analyse GDPR compliance is the first important step to take.
Examples of questions to ask are:
- What are the uncertainties surrounding estimates of impact of GDPR compliance?
- What current systems have to be understood and/or changed?
- Can we comply with GDPR without complex and expensive analysis?
- Do you know where your data is today?
Phase 4: Improve the GDPR compliance processes
Once you know the actual data that falls under the GDPR remit, you can create a process improvement system. The way we use data online changes constantly, which means we need to constantly reassess our data management and data storage processes. This also includes the way we hand over data to our vendors and third party outsourced partners.
The questions we ask in this phase are all around improvement and progress – not being satisfied with the status quo and constantly looking for better ways to manage our customers’ personal data in line with GDPR compliance.
- Are we able to answer a regulator asking ‘where did you get the data and how did the data subject agree to it being collected’?
- Are we making progress? If so, how do we know?
- What are the revised rough estimates of the financial savings/opportunity for GDPR improvements?
Phase 5: Control and sustain the data engineering objectives
This final phase will tie all the previous steps together and adds a layer of control over the processes. GDPR is not a one-off project to find out how your business scores towards compliance. It is an ongoing and constantly changing set of rules and regulations that you need to continue to comply with.
That’s why the questions in this phase are future-looking; solidifying what we are currently doing and building a series of processes and procedures that enable us to sustain our level of compliance, irrespective of changes in the legislation.
Once you’ve completed this step, you are on your way towards a strong and healthy future for your business.
- How will we ensure seamless interoperability of GDPR moving forward?
- What are the current penalties for non-compliance?
- Are we changing as fast as the world around us?
Using a 5-phase approach like this ensures you’re approaching the GDPR compliance from every angle and you’re building a healthy future-proofed business.
Ivanka Menken is the author of GDPR Practical Tools for Self Assessment, now available for purchase.
Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.
GDPR, compliance and much more will be under discussion at our MINT Data Driven Marketing Summit on Wednesday April 18 in central London. GMA readers can get £100 off the ticket price. Book NOW to hear top-level speakers share their knowledge about GDPR, innovation and the new data economy.