All things GDPR: 5 Questions to Ask Yourself Now That the Dust Has Settled
We’ve all been hearing a lot about GDPR, the lawsuits, and consequences for the large companies that have failed to be fully compliant by the given deadline. Even though May 25 has come and gone, many companies are still struggling with this set of regulations. While we don’t have all the answers, we like to think we have most of them from our own research and preparations to be GDPR compliant – and we want to share them with you.
This is the second post in our series covering GDPR. While there will always be something for you to do with regard to GDPR compliance, these questions are here to help evaluate where your organization stands to date, with GDPR compliance.
How did the GDPR come about? Do my employees know what GDPR is?
Just because you have been inundated with information on GDPR, doesn’t mean other teams in your company will know that it’s something more than the latest four letters to be pulled out of a child’s alphabet soup.
To start off, you can share that “in January 2012, the European Commission set out plans for data protection reform across the European Union in order to make Europe ‘fit for the digital age’… One of the key components of the reforms is the introduction of the General Data Protection Regulation” (GDPR info).
“The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR as well as information on the impacts it will have on business can be found [here]” (EU GDPR).
Take the time to explain to your employees what the General Data Protection Regulation is, who it protects, and how each team in the company is affected and their role in the effort to move towards compliance.
What information are you collecting on people?
Today a digital identity contains more data than just the information on a driver’s license.
“[The major firms] are all making bucks from analyzing our digital footprints… Six firms – Google (Alphabet), Amazon, Facebook, Tencent, Alibaba, and Baidu – have almost all the information on all the citizens of the world held digitally” (iris.xyz).
The privacy and use of this data is what GDPR is about; thinking through your customer journey, you can pinpoint the locations where consumers are handing over some of the data that makes up their digital identity and where it may be collected indirectly through any transaction that you may have with these individuals. GDPR dictates how and what companies collect, store, and utilize in terms of personal data.
Why are you collecting that data and how will you use it?
In a data-filled age, we all seem to want more and more data. The more, the better, right? With so much data, we can easily become overwhelmed with the amount available to us. GDPR is forcing many companies to take this time to really think about why they need to know the third maternal second cousin’s middle name of all of their customers. Take this opportunity to limit the data you collect to data that provide useful insights to your team.
No matter what data you deem necessary for your operations, make sure the data is acquired with explicit consent from each individual and map out why it’s needed and how it will be used in your organization.
While we defined consent, as it pertains to GDPR, for you in our previous post, there’s much more to consent. “The conditions for consent have been strengthened in the GDPR, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it” (EU GDPR).
If consent still seems confusing, check out this video?
Who is responsible for all of the data? How does it move throughout your company?
If you don’t already have your customer journey mapped out, doing so may help you answer these two questions. Business structures may vary, but many departments transfer the ownership of personal data via cases and tickets within your company’s CRM system. Having it mapped out will help decide who is responsible for the data and shed light on how the data is transferred internally.
Whether the data is owned by Sales, Marketing, Finance, Human Resources, or even an Implementations team, document the data flow between your teams. Continually ask where the data came from and why you need it. As you begin documenting, the reality of being GDPR compliant will come into focus.
Where are you storing the data? Is it secure? What happens in a data breach?
Whether your data is stored in a cloud, or in a dusty file cabinet, document it. (Can you sense a theme here?) Document why you have it and how you received it.
Depending on a few things, your company may need to appoint or hire a Data Protection Officer (DPO) for GDPR. This designated person will be the main point of contact for the regulators and your internal teams for compliance with GDPR. We’ll discuss this more in our next post.
In the event of a data breach, you’ll want to look at your plan. Having a documented plan of action in the event of a data breach in place is part of being compliant with GDPR. Document and share your procedure with your employees and make sure you can realistically execute it before May 25th.
“Under the GDPR, breach notification will become mandatory in all E.U. member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.” (EU GDPR)
This is not legal advice for your company to use in complying with the GDPR. We insist you consult an attorney for advice on applying the law to your specific circumstances. You may not rely on this post as legal advice, nor as a recommendation of any particular legal understanding.