GDPR is just around the corner and membership organisations, NFPs and companies alike are having to prepare themselves. For many, the May 25th deadline is hovering over them like a dark cloud .
Over the course of 2017, alarmist headlines have appeared across newsfeeds on an almost weekly basis, and some opportunistic companies have played on these fears, offering non-specific audits and other costly services that may not necessarily guarantee compliance at the end of their so-called project.
However, whilst it does present new challenges to those concerned, GDPR is not insurmountable for organisations. There is, of course, research to be done and decisions to be made by those responsible, but when correctly thought out and conscientiously applied, GDPR will enable managers to implement a more qualitative data processing policy.
In fact, running to an external provider in the hope of a quick fix for the new data protection rules may have quite the opposite effect, doing more harm than good in the long run. Every company, association and charity already has their own existing requirements for data management and will need a very different set of tools to ensure compliance. An SME differs from an NFP or a multinational, and each sector will require a targeted approach to defining their data processing needs.
What you need to start: Pragmatism
Before giving in to panic and making hasty decisions, the most sensible first step is also the most obvious: Run an internal assessment of your organisation. This will help you identify any and all steps to take on the road to compliance. To know what you need, you’ll need to be up to date on what the Information Commissioner’s Office and European Parliament require, so research is key. The ICO website is an excellent place to start if you haven’t already. This research phase then leads on to creating a list of requirements, making it easier to identify what new processes need to be put into place and which existing ones require updating.
The 3 main pillars of GDPR:
- Reinforcing individuals’ rights: Personal data portability, the right to be forgotten, improved protection for children and stricter rules for consent all work towards the principle of data transparency.
- Making those processing data more responsible for their actions and those of their subcontractors. Provide personal responsibility for compliance from the beginning.
- Privacy by design: Implementing measures to ensure personal data protection is part of a service’s architecture from creation.
These three pillars created by the European Commission are the core of GDPR, and create a basic framework for companies to follow. By using them, companies will be able to break down their day to day processes and see more easily what needs to be updated. As more data on individuals is available, some of the key functions of this regulation deal with consent management, personal data (marital status, address, behavioural information, etc) and sensitive data (religion, political affiliation, biometric data, etc), as well as how it is updated, distributed and how long it’s stored.
In addition to being compliant, the regulation now enables you to requalify your contact database. Ensuring your contacts’ consent is up to date will enable you to know what they’re happy for you to do with their information (sending newsletters, suggesting similar offers, etc) and how they want it to be processed.
However this doesn’t mean there is an arbitrary rule to follow for all. The regulation will apply differently for different structures. For example, will it be necessary to appoint a Data Protection Officer? What data needs to be removed and what needs to be kept? How do existing processes need to change to be GDPR compliant? Are the solutions in place fit for purpose?
Implementing a compliance strategy
A key concept in the new regulation is that of Privacy by Design. This ensures that proactive and preventative measures are in place for processing of personal data, including both automatic and implicit protection.
Integration of the notion of individuals’ privacy into the creation of the systems created to manage their data should ensure integral protection and end to end security for the entire time the data is retained. Respect for the private lives of users and for the interests of the individual remain the main objectives of GDPR.
Of course, implementing the concept of Privacy by Design begins on an organisational and technical level. Organisations will be required to collect only necessary information on their contacts, and inform them when they plan to process their data. What will follow, conversely, will be organisations with a better understanding of their contacts. Data use will be more qualitative, better respecting contacts’ rights by virtue of being used through informed consent.
These tenets of responsibility (through implementation of internal procedures demonstrating respect for the new regulation and the protection of personal data) target two aims for any successful structure that are intrinsic to GDPR: To benefit from a positive image as a company that respects their contacts’ privacy, and to maximize profitability by using their data in a more targeted, better organized manner.
If many aspects of GDPR are clear cut, notably those concerning individual data privacy, there are others that are subject to interpretation. For example, when it comes to how long to retain data, what period of time should pass before it is no longer useful? Where does one stand regarding legitimate interest for data processing? These are the questions that have fuelled the uptick in end-of the-world articles, as there is no one clear cut response. It depends on the organisation in question.
Following analysis, implementation
Implementing GDPR compliance can be seen as inconvenient and restrictive at first glance, but it doesn’t have to be an obstacle for companies. The law will certainly be updated after its application on May 25th , and additions have already been published in recent months by the European Commission. To ensure that they are operating within the boundaries of the law and are projecting a positive image to their clients and partners, organisations will have to ensure that their compliance strategy and updated processes are in place by 25th May 2018.
This is why once GDPR policy and a compliance strategy have been decided, it’s advisable to assess whether the organisation’s contact management systems are still fit for purpose.
A suitable solution will be flexible enough to be able to implement the organisation’s own GDPR policy, whilst having a common framework for all departments. This will enable automatic application of the maximum of rules imposed by the new regulation. Consent management, updates to processing logs, data portability and the right to modification are all requirements that have the potential to be time consuming if handled manually, and would be advisable to automate where possible. Compliant doesn’t have to mean clunky.
Ben McCreanor, Business Development officer at Eudonet
Original article published in Les Echos by Eudonet (http://bit.ly/2yhKidK), translated by Ben McCreanor, Business Development officer at Eudonet
Eudonet provides cloud-based CRM solutions to over 30,000 users worldwide. They’re currently helping their clients to implement their own GDPR policies using a flexible, intuitive membership solution. To find out more, contact them on +44 20 7092 6659 or [email protected].