Many small business owners are still looking for guidance on how to survive the latest changes to data privacy laws. If you’re among them, read on to find out how you can make the process a little easier…
Who’s the Boss?
Whether you’re fortunate enough to have sufficient funds to appoint a dedicated Data Protection Officer (DPO), or among the many of us looking to personnel from marketing, HR, finance or legal departments to fulfil the role, you can’t start planning for GDPR without someone to co-ordinate the work. If you don’t have the skills or capacity in-house, one possible alternative is to outsource the role to an external legal advisor or solution provider.
Make Friends with your Data
Once your DPO is sitting comfortably, the first real task is to understand the nature of the data held by your organisation, and what falls under the remit of GDPR. You’ll need to identify all ‘personally identifiable data’, held on both customers and staff, and determine whether it is held on one system or multiple systems.
Personally identifiable data includes most basic information such as the names, telephone numbers and email addresses.
Mind the GAP Analysis
The next step is to perform a GAP analysis. This will help you to understand exactly how GDPR applies to your organisation and to review internal systems and data processes for areas of weakness or risk. Essentially, a GAP analysis should identify any potential risks in relation to GDPR compliance, which in turn will give you a better idea of how to address them.
Ideally, the GAP analysis should be performed by whoever is responsible for your data management. Consider whether your organisation is equipped to perform this internally, or external support is required.
Basically, the GAP analysis identifies the gaps between current processes and GDPR compliance. The next step is deciding how to address these issues and close the gaps.
Perfect Transition Planning Prevents Poor Performance
GAP analysis complete, you’re going to need an action plan detailing what changes need to be made to your existing data management processes, how they will be made, by whom, and when.
This could involve a complete overhaul of existing policies and processes, but in some cases a bit of tweaking here and there may suffice. It all depends on how close you were to GDPR compliance beforehand.
An effective action plan will incorporate all of the elements which are important to your organisation. These might include:
Goals – exactly what is needed to achieve GDPR compliance whilst also operating a successful business
How you will continue to engage with clients and customers
People – how to brief teams appropriately in order to ensure that they understand GDPR and their contribution towards achieving compliance
Processes – which new processes need to be implemented and which existing processes need to be amended in order to achieve compliance
Policy – ensure that all policy documents/web pages are accurate and up-to-date in relation to GDPR
Systems and Data – ensure that all systems meet with GDPR requirements and are fully integrated and managed
Putting the Plan into Action
Once you’ve got your plan in place, roll it out across the business and hold people accountable. Staff must be made aware of any deadlines and commitments for which they are responsible, and they should be monitored to ensure that targets are met on time.
It’s extremely important to remain open and flexible concerning new or modified systems which you have implemented. Remember, Rome wasn’t built in a day and it’s often hard to get things right first time. So if you find that you’re not getting the results you want, don’t be afraid to make changes.
In the meantime, also be sure to keep a close eye on any changes to the GDPR legislation which are bound to follow the initial rollout.
The Customer is Always First
All organisations need to find the right balance between meeting obligatory regulatory requirements – such as GDPR – and engagement with customers. Whilst there is no shortcut around GDPR compliance, we mustn’t lose sight of the fact that for most of us, our customers are our business, so engagement is equally important. We still want to engage with our customers, we just have to make sure to do so in a GDPR-compliant way.
Although GDPR undoubtedly presents many of us with a challenge, it’s important to remember that the legislation has been introduced in order not only to strengthen data protection procedures, but also to hold us all accountable for how we handle personal data. And in the long run, this can only be a good thing.
Hopefully these tips will help you and your organisation to achieve a more seamless transition to GDPR compliance. Good luck!