If you haven’t already prepared for GDPR (General Data Protection Regulations), you’d better get to it because the deadline is approaching fast. What you need is a quick and practical approach, and whilst my proposed approach is somewhat simplified, we don’t have the luxury at this point of going into the finer detail.
The law requires us to protect and securely handle all personal data. At the same time, the processing of personal information must serve a purpose that the person in question is familiar with (and preferably has given consent to). Only the information that was strictly necessary to fulfil this purpose may be collected. Furthermore, personal data must only be shared with those who require it for that purpose and must be deleted when it's no longer needed to support the task for which it was collected. These are the core principles of GDPR, but it has also been the foundation of previous legislation, so why all the fuss now?
Much of the commotion is related to, potentially, huge penalties. Everyone within the EU and the EEA must comply with the legislation by 25 May 2018, or run the risk of paying a high price. It’s also highly unlikely that the EU will grant a deferment as this would severely distort the competition in the open market.
How to get started with GDPR
Time to roll up your sleeves. These simple steps will get you started quickly and efficiently:
Step 1: Create a GDPR organisation
Which departments in your organisation handle personal data? Examples might be sales, HR, finance, marketing. You can sort this out quickly, but remember that personal information can be related to both customers and employees. Imagine a typical buyer’s journey in your business, and map which departments get involved from start to finish. Do the same with an employee. Pick out the managers in the affected departments, and you will be on your way to having a GDPR-ready organisation.
Step 2: Map the personal data in the organisation
Map the personal data your business possesses, and how this is handled, by asking each department these questions:
- What personal data do we have in the different sectors?
- In which system(s) can I find it?
- What is our purpose for collecting this?
- Will the information be shared outside of the organisation? If so, to whom?
- What procedures do we have for deleting personal data?
Step 3: Set the financial framework for the implementation of GDPR
After learning which departments should be part of the GDPR organisational review, and mapping the personal data the business is processing and where this is stored, you’ll start to get an overview of the scope of the project. Strictly speaking, you have until now only scratched the surface of what is coming. Nevertheless, the introduction of GDPR will for most require some form of financial investment. For some it's a few thousand - others might have to fork out millions.
In future, you must consider how you will:
- Keep personal data so it's possible to inspect the stored information
- Securely store personal data
- Delete personal data
- Transfer personal information to a third party
- Implement notification routines for possible breaches of GDPR
This may require some new IT infrastructure. Risk assessments will also become a necessity for many. If you already have or are thinking about purchasing risk management software, you should seek out modules that are suitable for assessing risks within the framework of GDPR. This type of tool will be economically beneficial because it allows you to issue appropriate reports, and reuse templates.
What happens after May 25?
We have barely skimmed the surface when it comes to adapting your organisation to GDPR. You should be prepared for further work depending on how your business currently handles personal data and conditions related to the industry you operate in. Some industries store vast amounts of personal information, and some also manage sensitive data, which will mean further processing requirements. And you probably have to get acquainted with the 99 principles that form GDPR.
Remember that you'll have to be compliant with GDPR as of May 25, 2018. The procedures and structures you create now must follow the requirements set out by the main principles of the regulations. For example, if you switch CRM system, make sure the supplier is compliant with GDPR and that the system makes it easy for you to keep up with the frequently changing legislation.