Worried your business is not compliant with GDPR? You're not alone. Here's what you should be prioritising.
With GDPR finally on our doorstep, many organisations are now resigned to the fact that while they will be on the road to compliance, they may not be completely compliant.
Research by Ensighten has found that just 26% of UK marketers state that they are “very confident” that their data governance procedures are robust enough to be deemed compliant. While 61% of respondents said they would apply for an extension on the deadline if they had the choice, due to mounting fears that they will not meet GDPR requirements in time.
But in a statement last year, the Information Commissioner Elizabeth Denham emphasised that "issuing fines has always been, and will continue to be, a last resort... it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm."
So don't panic if you're not going to be 100% compliant - but do ensure that you are able to demonstrate you are well along the path to compliance.
With that in mind, what are the most important requirements that organisations absolutely MUST be tackling?
MyCustomer asked its panel of experts for advice on what their priorities should be.
Paul Laughlin, founder, Laughlin Consultancy
This is a question I’m often asked. Stepping back, I’d recommend leaders think about two key stakeholders. How can they reassure both the ICO and people who interact with their business, that they are taking this seriously and making good progress?
My conversations with leaders also suggest that most organisations will not be fully compliant. What separates those who have a ‘good story to tell’, from those still panicking, is what they are doing for those two priority stakeholders.
At a minimum, I’d recommend the following:
- An information audit. First, you need to know where you are now and the size of gap you face (compared to GDPR expectations). This should include logging all the personal data items held, how you process and transfer them (across and outside your business). It’s also worth capturing at this point, obvious gaps against the expectations of the ICO. So, a good place to start is their own diagnostic audit tool. I recommend using those sections to help RAG rate what you find during your audit.
- Communicate with all data subjects. It is highly likely that you will not have previously communicated to them all the information required by GDPR, whatever legal basis you’ve determined for processing their data. So, design simple, plain English communications to all your prospects, customers and other contacts. This should confirm, at a high-level, the data you hold, how you use it and their rights. If you are relying on consent, then you will need to capture that (proactive, informed and specific). But, even if you are relying upon a legitimate business interest basis (like direct marketing to existing customers), you still need to tell them. There will be more to do, but this shows them you take GDPR seriously and have embraced perhaps one of the most important principles – transparency.
- Start to embed into your culture. Don’t forget your employees. They have data subject rights too, so there will be more work to do on contracts and auditing their data (including surveillance). But, to start with, educate everyone. Internal training, giving time for people to work out the implications for their role, is a great way to start. With the ICO working on outcome basis, this is also great evidence of action on making data protection by default part of your culture.
- Delete what you don’t need or don’t have permission to use. It’s the time of year for a good spring clean. So, it makes sense to delete all data that isn’t actually used. If you can’t clearly communicate to data subjects why you need that data, delete it. Plus, remember to delete the data of those for whom you need permission and they have not given it by May 25th.
Focusing on those five aspects first should help you demonstrate to the ICO, customers, visitors and employees, that you take this seriously. Risk being transparent and starting your journey ASAP. Better to demonstrate an intention, than to keep waiting on a perfect solution, and be found to have done nothing.
Finally, to avoid missing the obvious, do ensure you’ve registered your organisation with the ICO, and that your entry is up-to-date.
Kim Smouter, the head of government affairs at ESOMAR
It’s important to underline that Data Protection Authorities have themselves publicly confirmed that they do not expect 100% compliance from companies as this is likely to prove impossible even with the best of intentions. What they have said, however, is that they expect companies to be well on their way towards compliance and in order to achieve that companies should have plans in place that can be quickly presented to a Data Protection Authority if it comes knocking at the door.
The top priority for any entity must be establishing a data processing register that will map for the company the data flows coming into the organisation and out of the organisation. Without this register the company is bound to leave critical data transfers out. Importantly, it is a fundamental requirement under the GDPR to maintain such a register and for it to be readily available should a Data Protection Authority audit your activities.
The second priority, if you are collecting a large amount of personal data, then naming a data protection officer should be an important consideration that needs to be resolved quickly. They are the person that will accompany a company’s journey towards compliance and act as the central contact point for data subjects and regulatory authorities alike.
If you are collecting a large amount of personal data, then naming a Data Protection Officer should be an important consideration that needs to be resolved quickly.
Again, under the GDPR if your main business activity essentially relies on the collection of personal data, then this is a fundamental legal requirement. This person need not necessarily be internal to the organisation (but if they do, then certain conditions apply as regards their training and position in the organisation). For smaller entities or those not able to hire someone in, external services also exist and can substitute legally a full-time hire or complement an international function.
The third priority, once the register is complete, is to set up an action plan that is recorded and kept readily accessible to demonstrate to regulators what it is you are doing to plug the gap between the expected compliance metrics versus what you are actually delivering today.
For me, that action plan focuses the company’s resources on tackling processing activities that are likely to create the most risk for the data subjects and the company. The action plan can be spread over several years depending on what resources are available.
It should focus attention firstly on ensuring that data subject rights can effectively be addressed when the requests come in (as these are the most likely source of a complaint that would lead to an investigation); secondly on updating key policies and processes to meet GDPR compliance (ensuring all processes are based on an appropriate legal base, that appropriate notice is given at the point where data is first collected, that data collected is retained for a determined period of time and deleted as necessary, and that data breach notification processes are upgraded too); and then thirdly on developing and implementing effective monitoring of those processes to keep them up to date and reflective of the operational reality.
This ensures that the privacy culture and accountability culture expected of GDPR is effectively embedded in the organisation and compliance is progressively beefed up over time.
Jim Roberts, director and founder, BlacklerRoberts
2. Understand your personal data – A key prerequisite of completing most GDPR compliance activities is understanding your data, so the what, where, why, how and who of any personal data you capture, store, process or extract.
4. Education – Talk to your teams and ensure they understand and processes put in place, who they should talk to when handling individual rights requests or discover a personal data breach.
About Neil Davey
Neil Davey is the managing editor of MyCustomer. An experienced business journalist and editor, Neil has worked on a variety of newspapers, magazines and websites over the past 15 years, including Internet Works, CXO magazine and Business Management. He joined Sift Media in 2007.