As I covered in the last blog, the General Data Protection Regulation is due to come into force across the EU in just over a year’s time. In this follow up to our part one of our series of “Countdown to Compliance” where we covered the tasks you should be undertaking in the first 6 months of the year, in this the second part we complete the countdown.For the sake of convenience I have organised the Countdown actions into the following categories:
A – Action | I – Influence | M – Measure.
Or AIM for short.
In the first 6 months you should have:
- Confirmed your legal basis for data processing
- Reviewed your existing data security processes
- Identified your areas of greatest weakness
- Evaluate your 3rd party contracts to ensure that your suppliers meet your standards
- Define your consent status
- Start the creation of your GDPR “bible” of processes
If you complete those tasks then you’ll be moving in the right direction. The second six months of the next year, however, are all about implementation.
October’s actions were all about starting to put together your process bible for GDPR. I discussed the Accountability principle. What this means is that firms must be able to proactively demonstrate that they comply with the Act not just react to breaches or issues. In November your goal is to build the training materials for your firm.
- ACTION: Create the training documentation that will be needed to train your users and to demonstrate that you are including information and data security in all staff training.
- INFLUENCE: You will need to work closely with the Data Protection Officer and with HR to ensure that your processes and training documentation is included in the induction programme and also in all staff contracts.
- MEASURE: It would be a good exercise to find out from HR is they measure what training people have had and if they are required to sign any statements confirming their acceptance of policies or that they have attended a training course on a specific topic
Although we might all be thinking of other things in December, we don’t want to get complacent. We only have 5 months left until the legislation comes into effect. This month you need to be thinking of the other data subjects’ rights, not just consent.
- ACTION: Make sure that you and the DP Officer are clear about what the right to Access of information, the right to Rectification of that data and the right of Erasure mean and that you are confident that you have systems and processes in place to manage this. It might be a good time to consider a data amnesty and get people submitting their lists over the Holiday season so that you can evaluate them in the New Year.
- INFLUENCE: One of the key challenges is that not all the data on individuals may be in the CRM system. Now is the time to make sure that the Directors and Partners of the business are aware that the only way that they can hope to comply is by making their colleagues disclose and share their contact information.
- MEASURE: You should have reports in place that enable you to quantify how much contact data is in the firm’s core systems and where else data might be lurking e.g. in spreadsheets or Outlook.
Now that you’ve spent time understanding the rights that data subjects have, you need to put together your policy statements so that they are aware of them. The legislation is very clear about what you have to communicate so it’s almost certainly the case that every firm will need to update their information statements.
- ACTION: Create the necessary policy and privacy statements on your website and on all your outward facing communications.
- INFLUENCE: You’ll need to work closely with marketing communications and also the DP Officer to make sure that your statements are correct and contain all the information that is required by law.
- MEASURE: You should do an audit of the locations where you are required to have policy statements to make sure that you have all your bases covered.
Now that we’re getting to the sharp end of the 12 month countdown and by now a lot of what we need is in place, we need to think about the on-going data quality programme. You’ll need to build in the necessary processes and measures moving forward beyond May 2018. One of the requirements of the Act is that data is accurate and relevant, so data quality is incredibly important.
- ACTION: Create a data management plan with clear processes for how you deal with adding new contacts to the system, how you maintain and manage data quality and how you are going to deal with archiving and deletion.
- INFLUENCE: You may find that you need additional budget or resources to ensure that you comply with the requirements of the Act, so it’s a good idea to work finance to ensure that sufficient budget is allocated to data management and quality.
- MEASURE: You need to build in detailed audit measures in your system to record data quality. Principally how you validated data and when. It would be a good idea to think about implementing some sort of traffic light system and also give consideration to how your users are going to get involved if contacts don’t reply to communications asking them for the express consent, or if their consent status is about to lapse.
Just 2 months to go. In these final weeks it’s all about training. Whilst you won’t be responsible for training on GDPR specifically, you need to make sure that GDPR training is a critical part of CRM training and that users understand what is expected of them in relation to data that they add to CRM and the use of marketing lists.
- ACTION: Implement a programme of user training on the CRM system with a key focus on consent, marketing lists and data quality.
- INFLUENCE: You’ll need assistance from the board to ensure that users are required to attend training.
- MEASURE: Keep a record of who’s been trained and make sure that this is shared with the board so that they can track progress.
So with just one month to go, you should be in pretty good shape. This month is all about making sure that everything is in good shape and preparing a final report for the board.
- ACTION: Create a checklist of all the actions that you’ve completed over the last 12 months and prepare a report for the board.
- INFLUENCE: Work with your colleagues in finance, HR and Risk along with the DP Officer to prepare the board report.
- MEASURE: Make sure that the checklist is something that you can use on an on-going basis to ensure that you continue to comply.
So now it’s finally here. All that hard work will be worth it. There will be many others who are probably panicking right now but you can sit back and relax knowing that you’ve done everything you can to get ready for the legislation.
Are you ready for GDPR?