The European Data Privacy Act has recently evolved into the General Data Protection Regulation (GDPR).
Following 4 years of deliberations, sittings and hearings at the European Parliament, the GDPR was finally approved in April 2016. The enforcement date of GDPR is 25, May 2018. As from this date, any organisation that is deemed non compliant will pay fines in the order of 4% of annual global turnover or €20 million, depending on which is greater. As at the time this article is published, all EU organisations and non-EU organisations with EU customers have about 11 months left to ensure compliance but most companies are still not clear on what to do to respond to this regulation.
What are the basic steps to becoming GDPR compliant?
There are 4 steps to becoming and staying GDPR compliant:
Auditing -> Remodeling -> Continuous Compliance -> Customer Innovation
Auditing
This is simply listing all the regulation areas of the GDPR and comparing the data in your organisation and the way data is used or processed in your organisation to what is required by the regulation. Auditing not only requires a technical look into the tables in your SQL databases, it also requires a deep dive into the way customer personal data is being used in your business processes. For instance, as a Bank Account Officer opening a current account for a new client, do I need to know how many kids my client has? In the past, this information would probably have been used to propose an adapted family insurance plan. GDPR however, states that any data collected must be used directly for the product or service for which it was intended. However, if ever you collect an indirect data, the customer has to give explicit consent for the indirect purpose for which the data has been collected.
Depending on how diverse the product and services channel of your organisation is, this step might take a long but necessary time.
Remodeling
Once non-compliant data and processes have been identified, the next obvious step is take appropriate steps to remodel the business processes involved in such a way that personal data collection and processing is done in a GDPR compliant way. GDPR classifies personal data into sensitive and non-sensitive personal data. Depending on the type of personal data, the data processing measures and regulations could be different. For example, explicit consent is required for processing sensitive data (much like a signed consent is required to stop supporting a coma patient at the hospital). However, for non-sensitive data, ambiguous consent is accepted by the GDPR.
Your objective in this step is to do an overhauling of your business processes and data in order to ensure GDPR compliance.
Continuous Compliance
After remodeling or reforms have been put in place to attain compliance, it is necessary to constantly audit the new system. If you have appointed a Data Processing Officer, his/her role will be to ensure that all internal or external data processing remain GDPR compliant. It is important to schedule unofficial or mock audits from time to time. The essence of this step is to quickly identify loopholes and take necessary measures. One important aspect of continuous compliance that has been emphasised by the GDPR is the Privacy by Design concept. That is, ensuring that a new customer-focused project (marketing, technical, commercial…) is GDPR compliant from the onset by having GDPR compliance metrics as part of its KPIs or success criteria.
In reality, this is step is more of a continuous activity rather than a milestone. The objective is to be compliant and remain compliant.
Customer Innovation
This step completes the compliance journey. It can only be carried out when existing processes and data processes are have been properly remodelled. This involves providing all the customer facing services mandated by GDPR. For example; allowing a customer to explicitly withdraw consent for Personal Data Processing, allowing your customers to exercise their rights to be forgotten, giving your customer access in readable format to ALL the personal data you have on him/her and putting up tools and processes allowing for a third-party personal data transfer initiated by a customer (Data Portability). Depending on the type of product or service you offer as an organisation, this means integrating a number of new tools and functionalities into existing customer portals or creating new ones entirely.
If done properly, this step will not only steer your organisation towards full compliance, it will also build trust and increase your customers’ confidence in the products and services you offer while securing a lasting relationship with your customers.
Conclusion
Of course, depending on the sector and your business context, there could be more steps. The steps described above are basic and are based solely on my personal opinion. Please feel free to comment below if you object or would like to add some more information and like and share so this information can get to everyone that needs it :). Thanks.
Click here for more information on GDPR
