If you are tired of reading articles about GDPR as the new onerous regulation or burden that’s going to be the downfall of your organisation if you don’t comply because you will suffer huge fines, then this is the one for you.
GDPR is about people; your tenants, suppliers and employees. It’s about data; your data, my data and their data. And it’s about how you communicate your privacy practices – it’s this that helps to build the reputation of your brand and your organisation.
GDPR is the biggest shake-up to data protection in over 20 years and, in my opinion, it’s well overdue. We now live in an age where we are all happy to give out our personal data when asked without question. GPDR will cover both the private and public sector; it is helping us safeguard data in the digital age.
GDPR is an opportunity
Yes, really it is – it’s an opportunity to build and strengthen trust between you and your tenants, employees and suppliers. GDPR brings in accountability and transparency, and it’s about being honest about why and how you process data. It is putting privacy at the top of the agenda, and treating the data of others in the same way you would want your own data to be treated.
GDPR is about embedding a privacy culture within your organisation, training your team, building a privacy culture, but how do you do this?
The first step to compliance is to carry out a GAP analysis; this will give you an overview of where you are now, an assessment of your organisation’s current level of compliance with GDPR. It will highlight the gaps, and help you identify and prioritise the key areas that you must address prior to May 2018, thus using your resources in the best possible way.
Conduct a data audit – know the data that you have, how did you obtain it, what do you use it for, what are the retention periods, is your data fully consented, can you really say that everyone in your database said ‘yes’, and how are you obtaining consent?
Let’s think about your legal basis for processing. Are you using ‘consent’? If so, you need to be able to show how that consent was obtained. Was it clear and unambiguous? Do you process ‘sensitive data’? Then this consent must be explicit.
Did you know that as the data controller, you have new responsibilities under GDPR. The burden of proof is now on the controller to show why the data is being processed. And of course, there is the data processor – as the data controller, you must ensure that the processor you use is compliant with GDPR.
Do you work with third-party organisations? This could be a marketing agency, a call centre or a data-cleansing agency. As the data controller, you need to check those contracts and you need to carry out due diligence on your third-party contractors. Remember – it’s your data and therefore your responsibility.
If you don’t already know them, take time to get to know the seven data-protection principles of GDPR.
GDPR states that all of your policies and procedures must be written using clear and easy to understand language – i.e. you shouldn’t need a dictionary for obscure language or a degree in law to understand your rights! With this in mind, do you need to rewrite your policies and notices?
Data breach… okay, so the worst has happened and your entire database has been hacked. If you know your data, you will know instantly how serious this is. Ensure you have a clear procedure to deal with it, a procedure that everyone knows about and is clear and knowledgeable about what they have to do. You already have fire drills, so have a data breach drill. Know what to do – after all, you only have 72 hours from the breach being found to notify the regulator and, if needs be, the individuals whose data is involved.
Where is all this leading to? Well, it leads straight to your reputation. No matter how large or small an organisation you are, you can rise or fall on your reputation, and GDPR encourages you to be open and honest.
GDPR can build brand value
An organisation that can define the customer experience and find engaging ways to talk to customers about their data will build trust in their brand. Trust can equal increased rates of customer retention and acquisition which results in increased revenue and growth. A company that is uncaring about their customers’ data will be seen as untrustworthy by today’s savvy consumers; this could cause catastrophic damage to their reputation.
GDPR can add business value
Use GDPR as an opportunity to spring clean your data management systems and processes. GDPR requires a review of your end-to-end data processing, giving the business the opportunity to ensure that all processes are aligned with GDPR, it enables you as a business to ensure that for tenants, access and control of their data is simple and easy. By streamlining your business processes, this should improve efficiency and possibly offer savings for the business.
Building and maintaining a privacy culture needs to come from the top. The senior leadership team needs to be involved from day one, there needs to be constant monitoring of policies and procedures, a well-defined staff training programme and a communications structure that constantly reminds and updates staff regarding data privacy.
Do you know where your data travels to? You need to know. You need to be able to prove that you are doing everything you can to be GDPR-compliant, so make sure you have an audit trail, log all training, changes to policies, notices and procedures and if anyone comes knocking, you can show them.
Don’t panic. GDPR is not something to be scared of; instead see it as an opportunity to spring clean your organisation and showcase your organisation in the very best light, use it to build trust and enhance your reputation, so take it as great opportunity.
Karen Cheeseman is a GDPR and data consultant at Privacy Trust.