GDPR: Okay, now what?
Ben Rapp (below) from Managed Networks, in association with Securys, continues his series of articles on how to comply with new data protection laws starting in May
If you’ve been reading my previous columns on preparing for General Data Protection Regulation, you’ll be ready to make some tough decisions. By now, you should know where your compliance gaps are. You need to decide what to do about them. What are your choices?
The most obvious is to stop doing things you can’t make compliant. You might also consider this if there’s a significant cost to compliance and you’re not sure there’s enough value in the data, or the processing, to make it worthwhile. This is a good thing: it’s regulation forcing you to check for a workable return on investment. The obvious candidates here are ‘big-data’ projects, patron screening and data enrichment programmes, but only you will know where you found your biggest compliance challenges.
Good data protection practice includes the principle of ‘data minimisation’. Collect only the data you need; do only the processing you need; and keep only the data you need. You should also carefully map how data moves around your organisation, and to and from partners. When you transfer data, are you sending more than is needed? Could you redact names, or other details, or aggregate it before sending it?
If what you’re doing now is necessary but isn’t compliant, you’ll have to improve your data protection. This might mean better notification to the data subject; it might mean better consent wording. Perhaps you need to put proper data-sharing agreements in place, or clarify who controls the data. You’ll almost certainly be writing and training staff in effective policies and procedures and implementing stronger cyber-security protections to reduce the risk of data breaching. You’ll need to resource this work properly. Don’t be afraid to look for outside help.
If you’ve looked at your plan and can’t see how you can make the necessary improvements to be sure it’s secure enough, you’ll need to outsource some of the problem. This might mean changing to a better-prepared marketing agency, switching your ticketing or fundraising system, or moving to an IT provider with proper security certification (hint: that could be why we’re sponsoring these articles…). If you’re going to outsource, the provider should take clear responsibility for delivering compliance and have proper governance built into the contract.
Some of what you’re already doing should already be good enough. Nothing is ever perfect, and you need to prioritise. Don’t get distracted expanding the options in your online contact preference control panel, when you should be focused on preventing your patron data from breaching, or fixing the red flags in your equal opportunities programme. Remember too, that the regulator wants to see that you’re trying to be compliant, so document your decision-making, prioritisation and planning.
Next month, we’re going to talk about how to do some of these things. Right now, you need to work out what you’re going to do, who’s going to do it, when it’s going to be done and how it’s going to be paid for. Get your board involved; they need to sign off on the impact these changes may have. Get endorsement from your lawyers, or from other advisers, so that you can be sure you’re on the right track. Make sure you have effective oversight and project management in place.
Need help? Email us at Managed Networks at email@example.com
We’ll be at The Stage Awards on January 26, sponsoring London theatre of the year