As this piece is being written, organisations around the globe are scrambling to comply with the deadline for GDPR. 25 May 2018 looms large in the minds of marketers and data security experts, but it’s not the finishing line that many envision it to be.

In reality, that deadline is just the beginning, a change in the wind for how organisations deal with data. Here are a number of ways you can act now to ensure long-term compliance comes naturally to your business.

Change your data mentality

What separates organisations who do and do not cope well post-GDPR will be their mentality. The regulation was made necessary by a sense of corporate entitlement to big data, with no oversight or accountability for how it might be stored and used.

That needs to change.

After GDPR, data becomes a precious resource. Every scrap needs to be recorded, mapped, and its usefulness justified. Considering that a large proportion of jobs now involve handling data, this new mindset needs to reach everyone from the C-suite to the frontline.

Take a look at your onboarding, orientation, and basic training processes. Are they doing enough to stress the importance of GDPR compliance and explain how and why each affected role uses data?

Don’t forget your existing staff. An hour or so spent bringing them up to speed now with some refresher training could pay dividends later.

If everyone within your organisation is aligned, it becomes much easier to satisfy external challenges.

Empower your DPO

If your organisation requires or has chosen to appoint a data protection officer (DPO), that person needs to have the freedom and authority to get the results they need.

It’s possible that your DPO might end up butting heads with some other members of your organisation. Middle management are famously focused on the demands of day-to-day operations at the expense of the big picture, but even senior members of staff might view compliance as a barrier to innovation and growth.

A lot of this will come down to the DPO themselves, their soft skills should be as much a criteria of selection as their knowledge of regulation. But ultimately, it’s up to you to ensure the buck stops with them on issues of data security.

After the deadline, it’s likely that a lot of the consultancy crowd will begin to operate as freelance DPOs. If you’d prefer to appoint one of these rather than someone from your own organisation, it’s worth doing so early before the best talent gets snapped up.

Understand your data flow

Prior to GDPR, data was seen as something vague, something that just sort of flowed into a business to be stored in as great a quantity as possible for unspecified future use. Grasping it for long enough to serve a purpose was the priority, but after that, interest tailed off.

Now, your entire data flow, in and out, needs to be accounted for. It’s one thing to be able to track your current use of data, but how you use data is likely to change dramatically over time.

How you maintain and develop your records, and how they can be scaled up in future, is as important as the record-keeping itself. Suffice to say that a spreadsheet is unlikely to be a good enough long-term solution.

Consider some kind of data visualisation tool. Not only will this be more flexible and scale with time, being able to visualise data flow makes explaining things much easier to stakeholders and decision-makers, who might not otherwise be too invested in the process.

Choose your friends wisely

Data ethics is also likely to play a huge role in the pitching process after 25 May. For B2B services, especially ones that involve you processing your partner’s customer data, putting your compliance credentials on display could make the difference in winning new business.

But be aware that this goes both ways. The onus is on you to build that same kind of due diligence into how you select partners. Take a look at the kind of standard agreements, contracts, and SLAs you use when outsourcing services and make sure that you’re only working with those who are as data-conscious as you are.

Rethink your processes

Managing GDPR compliance should become as much a part of your regular operations as accounts and payroll. As those operations change, it’s possible that your compliance efforts will need to evolve alongside them.

In most cases, growing a business involves the use of more data, not less, so expect compliance to become a more complex affair. Again, by laying the groundwork now and educating staff, you can make sure that compliance scales in step with everything else.

Remember to forget

The right to be forgotten is a big part of GDPR, and it’s one which consumer rights groups and data privacy activists could try and test in the early days. It’s important to communicate clearly to your customers how they can request to have their data erased.

They can do so either in writing or verbally, and both need to be recorded and processed within one month. There could be some circumstances under which you don’t have to delete data on request (to satisfy the law, for example), and these should be clearly understood by those responsible for deletion before you receive that first request.

How will you handle a crisis?

Ongoing GDPR compliance is not a one-shot affair. It’s a journey, and not every journey goes perfectly smoothly all the time.

As time goes on, you should continually test and update your crisis plan. How you notify people of a data breach and take steps to prevent it happening again is going to reflect strongly on your overall GDPR readiness.

It could be worth periodically employing data security experts or white-hat hackers to conduct an independent GDPR assessment and test your defences. That way, if security problems are found, they’ll be found on your terms and not by someone with devious intentions.

Secure long-term compliance with Databoxer

Data use in a post-GDPR world is going to look very different to the Wild West days of pre-2018, but it doesn’t have to be a massive headache. Giving your people the right tools for the job can make ongoing compliance much easier.

Databoxer can be added to your site quickly, providing a stress-free consent management solution for your organisation.

Want to see how? Get in touch and request a demo today

Leave a Reply

Your email address will not be published. Required fields are marked *