How can my business prepare for GDPR?
There are two stages towards becoming GDPR compliant: creating a strategy which is specific to your business, and subsequently implementing your business' pre-determined strategy in time for the implementation of the General Data Protection Regulations by 25th May 2018.
Creating a strategy to prepare for GDPR:
Here are 6 steps you could apply to your GDPR strategy:
1-Connect your varying sources of data together to form one singular bank of data, this needs to be easily accessible for each member of the organisation, if they handle personal data, to locate
2-Decide the roles in your organisation, who is: the data processor, the data subjects and the data protection officer (DPO)
3-GDPR has been formulated to protect data subjects' rights, therefore you need to enact the safeguards stated in the GDPR
4-Make your data management transparent, demonstrate why and how you carry out your procedure, so that you have evidence and justification if you are questioned about your data management by the Information Commissioner's Office (ICO)
5-Use an audit trail to track and document all of your data management actions, such as how you received consent, then how you documented and processed this consent afterwards
6-Finally, note where your non-compliance risks are. For example, do you have the right subject access request procedures in place to allow a data subject to access their personal data? Note down where the areas are in your data management strategy which could be at risk of non-compliance and pay extra detail to these areas.
Essential use of enterprise architects:
Dr Tim O'Neill, founder of Avolution, a global provider of Enterprise Architecture, states that the use of enterprise architects and risk and compliance professionals, is needed in a business to help create an effective GDPR strategy.
Enterprise architects can help to adapt the IT of a business to coincide with the GDPR strategy, this will create a more efficient base to work from.
Sector specific GDPR strategies:
Asos.com, the online British retailer, demonstrated their efficient GDPR strategy through releasing an email to their customers to notify them of their new data protection regulations. These emails offered customers an "opt-in" mechanism, as well as an "opt-out" mechanism, making explicit options for consent. As demonstrated by Asos.com, a GDPR strategy can be straight forward if you start early, so start with you re-permission campaigns to achieve specific consent from your customers.
Protiviti, the UK risk and business consultancy firm, have published a guide to help with building a compliance strategy for businesses. There is a lot of GDPR advice circulating, therefore there is no reason not to be ahead of the industry, especially if your business wants to avoid the crippling fines which will be issued by the Information Commissioner's Office (ICO).
How can my business implement changes for GDPR?
Once the GDPR strategy has been created, it is time to implement it as quickly as possible to avoid censure.
Correct implementation of you GDPR strategy is needed to mitigate the risks of a data breach. If a data breach occurs, the ICO can fine your business up to €20 million or 4% of an organisation's global turnover, whichever is highest. The first GDPR data breach occurred with Ticketmaster, an American ticket sales and distribution company, in June 2018, which is currently being investigated by the ICO.
Sainsbury's, the second largest supermarket chain in the UK, has been credited for its successful GDPR implementation and compliance. The Chief Data Officer, Andy Day, spoke out about Sainsbury's GDPR strategy, and notes that for the time being, they are focusing on being compliant and demonstrating how trustworthy their organisation is.
A re-permission email was sent out to Sainsbury's customers asking them explicitly if they would still like to receive emails from Sainsbury's, effectively re-gaining their consent.
Sainsbury's have made suggestions of going one step further, to gain a competitive edge over their rivals in their industry and creating a system of complete transparency for customers. This would assume the form of a system which would allow Sainsbury's customers to log on and view their data which is being used by Sainsbury's, for example to work out their shopping habits. Although this is only a current suggestion, it does demonstrate Sainsbury's being proactive in enforcing their GDPR compliance.
Therefore, if an organisation establishes a well prepared GDPR strategy, then the implementation of this strategy should ensure GDPR compliance is achieved.