*As featured on Information Age*
At Experian we believe that the General Data Protection Regulation (GDPR) presents a positive opportunity to transform the way you organise and process your data; increasing the value you derive from it and reinforcing customer-centric business practices that are essential in our data-driven age. I was delighted therefore to see my recent article on preparing for the regulation sourced in a guest article on Information Age. You can read it below or visit Information Age to read it along with a host of highly informative industry perspectives.
The impending GDPR is ready to impact every organisation that deals with Europe. The penalties are big, so preparation is key.
A core theme of the European Union’s General Data Protection Regulation (GDPR), which is to keep consumer interests front of mind at all times, mirrors sound fundamental advice for all companies.
Customer-centric business practices are especially essential in the data-driven age, driving innovation and opportunity. Yet, GDPR requires a significant change in behaviour for most firms.
For those looking to ensure that their journey ends well, or needing to implement compliance in a hurry before that May 2018 deadline, here is an actionable set of advice. It’s designed to help organisations of any size and complexity to navigate compliance, rapidly.
The three “I”s
If they’ve not already, it is imperative that businesses start to think about their implementation requirements immediately.
It’s not good enough to feel “fairly confident” that the data held is being used in the interests of the customer. It’s a requirement that new levels of scrutiny are applied here, and the customer’s perspective is the be-all and end-all guide to whether you are getting it right.
With this in mind, we’ve created this three step process for organisations to work through in order to help firms navigate – and potentially thrive – in the new regulatory environment.
When preparing for GDPR, organisations must make sure that the personal data they hold is accurate and that the collection, storage, use and erasure of that data follow a “Privacy by Design” approach which takes privacy into account from inception and throughout the whole process.
Data quality is the first stage in the process. Only after a thorough investigation can businesses understand where they may be exposed and where they need to improve their data management practices.
It’s also a good idea to develop a full understanding about what constitutes “personal data”, given the broader GDPR definition. Consider the quality and integrity of the personal data held. Is it accurate and up to date?
- Do you need to keep it at all? What is the value of this data to the business? What have we told consumers about how long we will retain their data for?
- What are main data risks in the business? Create awareness across your structure and set up a privacy task force to inform decision makers on GDPR impact.
- Understand the legal grounds on which you currently collect and use personal data. How are consent, legitimate interests and other grounds used as basis for processing personal data – and record this.
- Map the personal data you hold and how this data flows through your organisation (system by system). Identify personal data flows which happen across borders, both to and from other EU states, and beyond.
- Identify personal data capture points (e.g. online forms, registrations, call centres). Are you validating at point of entry? What are people told about how their data will be used? Check policies, statements, and notices.
- Categorise data and associate risk to prioritise activity. Conduct Data Protection Impact Assessments (DPIA) for riskier activities.
- Review and update privacy policies and notices: Make sure they meet the transparency challenge.
- Review all third party relationships – partners now have responsibilities.
It is a given that with the enhancement in standards of customer data management set by the new regulatory framework, businesses must improve their approach in line with those new requirements.
Organisations need to ensure they are always meeting the rights of the data subject, holding accurate data and improving practices such as data portability and subject access requests, guaranteeing that the consumer’s right to rectify, object and have their data deleted is straightforward to arrange.
Some practices you should consider introducing to help with the new requirements set by the GDPR should include:
- Developing a full 360 view of the customer base, utilising the latest technology, to ensure you are able to keep up to date with customer data across channels. For example, applying a unique customer identifier, commonly known as a customer PIN, helps businesses draw all the information together, even when the data itself is spread across multiple points and is constantly evolving.
- The adoption of compliance “building blocks” that reflect the key themes of GDPR and demonstrate to the regulator that the organisation is taking active measures to ensure responsibility for effective data protection, including documentation and regular audit processes.
- Introducing a new information governance framework to help with risk management which can consist of:
- Integrated privacy policies
- Security procedures
- Data retention procedures
- Data sharing/vendor agreements
- Intragroup data transfers
- Data protection officers’ reporting lines and privacy by design
- Routine audit, training and cultural awareness
- The appointment of key “data-related roles” to address skills gap shortages and meet the demands of working in the new regulatory landscape.
- Allocating resources and staff training to meet the demands of the new data strategy.
Businesses need to absorb new models of best practice into their data strategy and, ideally, integrate it into the culture of the organisation.
They need to ensure “bad data” is prevented from entering their systems after the GDPR deadline has passed. Key contact information should be usable and accurate so that customers can be reached easily. Identity and fraud checks will need to be built into current systems.
Furthermore, organisations will be expected to have the right processes in place to protect their customers in the event of a data breach. Coherent response plans will need to be incorporated into business plans, so that these new criteria can be met.
When assimilating new data-related policies and procedures into your organisation’s approach, some steps that should be worked through are:
- Overhaul data security, especially encryption techniques. Document where any personal data is located and how this is stored. Ensure the data is secure by introducing a culture of data responsibility.
- Introduce a responsive data breach plan to meet the required 72-hour timeframe. Consider working with external partners to meet the demands of the new rules.
- Build IT systems and procedures that can technically cope with new individuals rights and enhanced metadata/ recordkeeping requirements.
- Be prepared to manage data subject rights effectively. Make sure you could cope if the volume of these increased substantially.
- Make sure you can store proof of consent and multiple permissions.
- Evidence standards and ensure record keeping is embedded into the business going forwards. Put in place relevant policies and documents to support this culture change.
- Privacy by Design and privacy impact assessments should be built in to any new products and services and incorporated into websites, etc., as soon as possible.
- Develop positive privacy communications to enhance transparency and build trust with customers.
Bring it all together
The new rules put customers’ interest firmly at the heart of doing business, the aim to promote more transparency and build trust. This can only be a good thing.
That said, moving towards a data strategy that allows organisations to flourish in the new regulatory environment is likely to throw up some challenges. Preparation and timely action will be key to making the most of the opportunities ahead.
However, only when they start to think more deeply will they recognise that if they improve their data governance they will achieve a more fundamental and resilient level of compliance.
The points above should give a good indication of the task ahead – but firms should also seek expert advice from a qualified partner. Although daunting, GDPR should be seen as a chance to transform a business for all the right reasons, putting consumers’ interests firmly at the heart of our data powered future.
Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.