GDPR Compliance: Let’s get the show on the road
Ben Rapp from Managed Networks, in association with Securys, continues his series of articles on how to comply with new data protection laws starting in May
By now you’ve done your detective work. You know what data you have, where you get it, what you do with it, where you send it, and how long you keep it. You know why you think it’s necessary, and where you need consent. Most importantly, you understand what you need to do to make yourselves compliant with the new data protection regulation.
So do it.
Everyone will have different gaps and problems. The important thing is to have a clear plan to remedy them, and to make sure that you manage the work effectively. Not only because this is the best way to get things done, but also because having evidence of a plan, and progress, will help you show the regulator that you’re trying to comply if – for whatever reason – you aren’t finished by May 25 this year.
You’ll have limited resources. You should be risk-scoring the work, and dealing with the highest-risk areas first. Don’t focus on perfecting your privacy statement if you have Article 9 special category data on your staff that isn’t properly controlled and pseudonymised. Don’t worry about opt-in wording for new customers if you have no idea where you got your existing marketing list or what, if anything, they’ve consented to. Above all, keep your eye on the real harm that could befall your data subjects if you were breached; your first duty is to protect them.
Time is short, so now is also the moment to get help. Those limited internal resources are best focused on dealing with the things that make you special – your own internal culture, your staff, your marketing, your customers. If you can buy something that fixes a whole category of problems, you can free up your own people to have that focus.
So outsource your project management; buy in your policies and procedures; use external trainers; outsource your IT to a company that understands the issue and the industry and is properly committed to security. Is this a blatant plug for Securys and Managed Networks? Of course it is, but we really can help you get your house in order before the deadline if you act now.
By the same token, make sure that you push your suppliers to meet their responsibilities. You’re not working in a vacuum. Ticketing, CRM, email marketing, HR, web sales – all of these systems need to be compliant, and the primary responsibility for that lies with the system provider. So ask them what they’re doing about it, and hold them to account. But remember that if they don’t get it right, you’re the data controller and you’re the one risking fines and reputational damage.
If any of you have heard me speak at our events – the next one’s on March 21 – you’ll know that the key word in GDPR compliance is ‘transparency’. So make sure that as well as working on GDPR compliance, you’re communicating with all your stakeholders about what you’re doing. Your staff may be concerned – either about their data or the impact of GDPR on your organisation. Your customers will want to know what’s happening with their data. Tell them. It’s also an opportunity to enlist their help. Make sure your board knows what’s going on, too – since they’re ultimately accountable for it all.
Above all, don’t panic. Common sense, responsibility, a working moral compass, honesty and openness are the key requirements for effective data protection. They’re pretty important for other reasons too, so embrace the work you have to do, be decisive and efficient and you’ll be fine.
Can’t wait? Get in touch with us on firstname.lastname@example.org