The General Data Protection Regulation is due to come into force across the EU in just over a year’s time. In this follow up to our earlier blog, where we offered an overview of the regulation, I plan to explain how professional service marketers should prepare for its enactment by providing you with a Countdown to Compliance on a month by month basis.
in Part 1 we will concentrate on May through October. Feel free to share this to all your data and CRM colleagues in your network – they will thank you for it in the long run!
For the sake of convenience I have organised the Countdown actions into the following categories:
A – Action | I – Influence | M – Measure.
Or AIM for short.
This month’s actions are all about laying the foundations for compliance.
This involves checking off some specific actions, but more importantly identifying the stakeholders within the firm that you are going to need to work with.
- ACTION: Confirm your legal basis for data processing.
- INFLUENCE: Identify within leadership the key individuals that you will need to work with to implement the firm’s GDPR plan.
- MEASURE: Run a report on your CRM system (and other systems if you have them) that enable you to segment contacts by your confidence in the quality and completeness of their Consent Status e.g. explicit consent, implied consent, no consent.
We now have less than a year to go, so this month there is a need to get some key elements in place in the plan.
- ACTION: GDPR has a requirement to build data security in to your processes by design. So this month’s action is to review your existing processes for reporting breaches and to identify specific areas of weakness.
- INFLUENCE: If you’ve not already done so you need to identify your Data Protection Officer. You will be working closely with this person over the coming months.
- MEASURE: You need to work with your DP Officer to review your findings from your exciting processes and score them according to their risk.
You might be forgiven for thinking that as we approach the summer you could take your foot off the pedal. However if you are, like most firms, in the position where your existing processes leave somewhat to be desired, you are going to need to work hard to address the issues that your process audit will have uncovered.
- ACTION: Focus on your areas of greatest vulnerability. Most firms are not likely to be of great interest to hackers (unless you focus specifically on M&A) so whilst data centres and servers are incredibly important, most firms actually have what might be considered fairly mundane points of weakness. For example do staff email unsecured data to 3rd parties? Do they work on Wi-Fi in unsecured locations? These are the sorts of things that can often be overlooked but can be open to interception.
- INFLUENCE: You’re going to need to work with your risk and compliance people to ensure that your policies are up to date and that key areas of weakness are eradicated.
- MEASURE: If you can, with the help of IT, you should be looking at email systems or logs, such as Mimecast, to try and understand how frequently data is emailed outside the firm’s firewall.
One of the big changes in the legislation is the increased obligations on data processors, so it’s not enough simply to put your own house in order you need to make sure that those processing data on your behalf are in good shape too.
- ACTION: Evaluate your contracts with 3rd parties and determine if you need to speak with your suppliers and/ or review their tighten their contracts.
- INFLUENCE: You are going to need to involve purchasing (or whoever has responsibility for managing contracts) as you are almost certainly going to need change some of your supplier vetting processes to ensure that they are meeting their obligations.
- MEASURE: Evaluate the number of times that data was processed on your behalf and if you can determine how often that data was taken off-premise or connected to remotely.
There is a lot of mythology and misunderstanding on what constitutes compliance. You can take the common sense route, which is that if a person is engaging with your firm then obviously they have given consent for you to contact them. In many cases that’s true, but in legal terms it is still only implied consent. This month is all about getting firm-wide agreement on terminology and interpretation.
- ACTION: Define your Consent statuses.
- INFLUENCE: Work with the DP Officer and Risk and compliance on your definitions, where you think you currently stand and what actions you need to take.
- MEASURE: Re-run your audit of consent and insist that this is discussed at the next board meeting.
Over the last 6 months you’ve been putting in place the foundations for compliance by looking at policies and processes, suppliers and staff and key areas of concern or weakness. This is all excellent as one of the key changes in the legislation is the fact that you need to prepare for the Accountability principle. What this means is that it’s no longer sufficient to be able to defend an accusation of non-compliance but proactively demonstrate everything you do to achieve compliance.
- ACTION: Start compiling your bible of GDPR with everything you’ve found so far. The next few months are going to be all about fixing problems, implementation and training.
- INFLUENCE: Work with your training and HR colleagues as you are going to need their assistance in developing training programmes and building the obligations to follow the firm’s processes in to your HR policies.
- MEASURE: Report back to the board on what you have done and your roadmap for the 6 months ahead.
- Go to Part 2 of the GDPR Checklist
- Download our handy eBook checklist to keep track of your 12 month Countdown
- Look out for our forthcoming webinar on GDPR.
Are you ready for GDPR?