The moment May 2018 dawns, your organization will have no room for excuses. GDPR can hit your organization like a Tsunami if your processes aren’t compliant or be a blessing if they are. The future of your brand is thus clearly in your hand. If you currently serve EU citizens or intend to, you better roll up your sleeves and get to work, for time will not be too kind.
Here’s a crash course on bracing your organization on GDPR.
Familiarize yourself with GDPR regulations at the overview level and identify the functions that will get impacted. Ideally, any functions that are in direct contact with the customer or functions processing their information need to be considered here. These are typically marketing, sales, support, pre-sales etc. Get the top leadership of these functions together and get their input for successful implementation of this initiative.
Spread the word
One person from within this person has to lead the GDPR initiative. This appointee, the Data Protection Office (DPO), should have support from other functional heads and have authority to make necessary changes to processes within the organization to make them compliant for GDPR policies.
Under the DPO’s supervision, form a cross functional team. Every function that has a role in the GDPR compliance process should have representation in this team. This is to ensure that every team member has clear ideas about the processes that are performed within different functions over people's data.
Make a list of processes and touchpoints where your organization gets data. Try and segregate this information within different functions. Every person whose data you collect should have provided consent for use of his or her data. This activity should help you prepare governance framework that has broad information about functions, the risk register for the processes where prior consent is not taken, the accountability framework as touchpoints are segregated within different functions, and a review process to monitor these activities at a later stage.
Secure the system
Create a data flow model to audit even the smallest data collection and processing. This is referred to as the data flow audit. This will highlight areas that you need to work on where data is being collected without consent, data is being processed unlawfully and not properly discarded after use or upon customer request.
Make necessary changes to your existing system wherever required. You may need to bring in new systems to address the potential data issues too. Bear in mind that every change is going to impact your system. You need to test this new or modified system for GDPR compliance. If data is passing through software systems then a thorough software testing needs to be carried out.
While you test the new or modified system you have to ensure that it has a built-in pseudonymization. In GDPR it is defined as a process that transforms personal data in such a way as it cannot be attributed to a real person.
It is easier to control processes of digital nature, hence try and have minimal human interaction wherever possible.
Brace your organization
When all above steps are covered you are almost ready for the launch of the initiative. However, despite GDPR being a data-centric concept it is not only limited to systems and processes. People who are dealing with this information are an integral part of the GDPR initiative. There could be various instances where data is not being collected digitally and it is exchanging hands in a non-secure format. Your staff needs to be trained in handling such data. This training has to be organization-wide for maximum effectiveness. Every new person joining the organization should be made aware of these processes and sensitized towards protection of people's data.
These four steps should help you visualize the GDPR strategy within your organization. Should you need more guidance on how to prep up for GDPR before the deadline, feel free to write to me.