Filter by/
Region/  All
Type/  All
Sorted By/  Most Recent

GDPR – new data protection regulation is coming . . . are you sure you’re ready?

By / / In Best practice /
Is your data management strategy set up correctly, completely and in place ready for compliance with the incoming GDPR – new data protection regulation – in May? Ivanka Menken has a checklist of processes that businesses and organisations should go through in order to ensure the customer data they hold complies fully . . . and what to do now if it doesn’t.
GDPR – new data protection regulation

The EU General Data Protection Regulation (GDPR) will come into effect from the 25th of May 2018. Irrespective of where you are located in the world, if you collect client data from persons in the EU, the GDPR is now part of your new standard operating procedures.

GDPR is all about personal data and to make sure this personal data is protected from outside attacks. The onus is on the company to prove that they do every reasonable thing to protect their customers’ personal data against misuse – whether you process and store all the data internally, or by engaging a third party supplier or SaaS provider.

What types of privacy data does the GDPR – new data protection regulation – protect?

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

With businesses performing more and more transactions online, as well as managing many of the business procedures online, the need for strong data protection has become a critical component of the overall business process.

As a savvy professional, it pays to understand the compliance criteria in such a way that you will be able to understand and manage the ongoing compliance requirements beyond May 25th. This date only marks the starting point from which we need to be more vigilant in how we manage, store and process our customer’s personal information.

Looking at GDPR from this point of view means that the management requirements for GDPR can be split up across five different phases. These phases coincide with the general lifecycle of a business process and they loosely align with Deming’s Quality cycle: Plan – Do – Check – Act (PDCA for short).

  • Plan what you are going to do
  • Do what you planned for
  • Check / study and analyse the results of what you did in the previous step
  • Act accordingly – improve the activities, measurements and expected outcomes.

Phase 1: Recognise the value of GDPR for the overall business

Even though GDPR compliance is mandatory, it still pays to recognise the value for the overall business – approaching the regulation this way means you change your point of view from looking at GDPR as a burden to looking at it as an opportunity that provides value to the overall business.

Example questions you can ask to identify the opportunity GDPR brings to your organisation:

  • Does GDPR create potential expectations in other areas that need to be recognised and considered?
  • What does GDPR success mean to the stakeholders?
  • How does GDPR compliance prevent errors and rework?

Phase 2: Define what GDPR – the new data protection regulation – means within the context of our business

In phase 2 we move from a more generic value-based approach to a more specific business context. What works for one company does not necessary work for a different one, so to avoid the ‘one size fits all’ approach – it’s important to look at the compliance requirements within the context of your company or business.

This approach links GDPR to the business goals and objectives, making it easier to identify cost-savings or efficiency gains of the business processes that deal with personal data.

Example questions to clearly position GDPR within the business context are:

  • Is the scope of GDPR defined; what are the boundaries? And is the GDPR scope manageable?
  • Is GDPR implementation linked to key business goals and objectives?
  • How does your organisation fall under the scope of GDPR? (Especially when your business is outside of the EU)
  • Does senior management understand the importance of GDPR?

Phase 3: Measure & analyse how GDPR compliance is currently performed

This phase might be the most important part of the whole approach. With fines of up to 4% of global turnover, the implications of not correctly complying with GDPR are massive.

First of all we need to understand how we can measure GDPR compliance. This means doing an audit on our customers’ data and how we process and store this data.

You can’t manage what you can’t measure, so identifying a way to measure and analyse GDPR compliance is the first important step to take.

Examples of questions to ask are:

  • What are the uncertainties surrounding estimates of impact of GDPR compliance?
  • What current systems have to be understood and/or changed?
  • Can we comply with GDPR without complex and expensive analysis?
  • Do you know where your data is today?

Phase 4: Improve the GDPR compliance processes

Once you know the actual data that falls under the GDPR remit, you can create a process improvement system. The way we use data online changes constantly, which means we need to constantly reassess our data management and data storage processes. This also includes the way we hand over data to our vendors and third party outsourced partners.

The questions we ask in this phase are all around improvement and progress – not being satisfied with the status quo and constantly looking for better ways to manage our customers’ personal data in line with GDPR compliance. 

  • Are we able to answer a regulator asking ‘where did you get the data and how did the data subject agree to it being collected’?
  • Are we making progress? If so, how do we know?
  • What are the revised rough estimates of the financial savings/opportunity for GDPR improvements?

Phase 5: Control and sustain the data engineering objectives

This final phase will tie all the previous steps together and adds a layer of control over the processes. GDPR is not a one-off project to find out how your business scores towards compliance. It is an ongoing and constantly changing set of rules and regulations that you need to continue to comply with.

That’s why the questions in this phase are future-looking; solidifying what we are currently doing and building a series of processes and procedures that enable us to sustain our level of compliance, irrespective of changes in the legislation.

Once you’ve completed this step, you are on your way towards a strong and healthy future for your business.

  • How will we ensure seamless interoperability of GDPR moving forward?
  • What are the current penalties for non-compliance?
  • Are we changing as fast as the world around us?

Using a 5-phase approach like this ensures you’re approaching the GDPR compliance from every angle and you’re building a healthy future-proofed business.

GDPR – new data protection regulation

Click the image for details of how to purchase.

Ivanka Menken is the author of GDPR Practical Tools for Self Assessment, now available for purchase.

Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.

GDPR, compliance and much more will be under discussion at our MINT Data Driven Marketing Summit on Wednesday April 18 in central London. GMA readers can get £100 off the ticket price. Book NOW to hear top-level speakers share their knowledge about GDPR, innovation and the new data economy.

 

 

 

 

Ivanka Menken
Author: Ivanka Menken
CEO and co-founder at The Art of Service | www.theartofservice.com

Ivanka Menken is a serial entrepreneur and the owner and co-founder of The Art of Service since 2000. She specialises in creating organisations that manage their services in a sustainable and customer-driven manner. With 20+ years of management consultancy experience and an education degree, Ivanka Menken has been instrumental in many organisational change management projects in The Netherlands, USA, Canada, New Zealand and Australia for both government agencies and private corporations. She believes that education and training is at the foundation of every successful enterprise. Menken is an accredited PRINCE2 Project Management trainer, course author and consultant and has been a guest lecturer for a number of Queensland universities on the subject of IT Service Management and Organisational Change Management and proudly featured as one of ‘Australia’s 50 Influential Women Entrepreneurs’ in 2016. While running The Art of Service, Menken authored a number of publications on IT Service Management, Cloud Computing and Customer Service. She also completed her Entrepreneurial Masters Program at MIT and served on the board as the second-ever female president of the local Entrepreneur’s Organization chapter.

Leave your thoughts

Related reading

  • Keep up to date with global best practice in data driven marketing

  • This field is for validation purposes and should be left unchanged.