With the May 25 deadline for compliance with General Data Protection Regulation, or GDPR hours away your organisation should be putting the finishing touches to improved privacy and data protection policies across the organisation.
But hopefully you are also starting to see that the new regulations offer an opportunity as well as a cost in terms of time and resources spent to ensure you have achieved compliance.
The new rules are a chance for many companies to carry out some long overdue housekeeping. Cleaning up databases and ensuring proper permissions is never top of anyone’s priorities. But leaner, cleaner data sets are better for everyone.
Making sure marketing and other messages get to the right people using their personally preferred communication route is a big boost to customer relations.
Communicating the changes clearly and succinctly is a chance to showcase your organisation.
By now we’ve probably all received dozens of emails asking us to update our preferences, getting this process right can provide a good reputational boost to the business. And equally, because everyone is doing it, it can show up competitors who manage the process less well than you.
More importantly having a truly ‘fit-for-purpose’ data sets makes it easier to add functions like intelligent CRM and other analytics to your systems.
GDPR should mean better, faster and cheaper communication with customers and partners. But there are still some final checks that need to be carried out.
Firstly GDPR is not just an issue for the IT department.
Everyone in the organisation needs to understand what the changes mean for them and their department, not just on May 25, but going forward as well. Keeping staff up to speed as regulations evolve and change is vital to ensure you stay compliant.
Secondly teaching staff just what personal information is and why it is important might reveal some secrets hiding in parts of the organisation’s infrastructure that IT is not aware of.
Shadow IT raises many issues of compliance but GDPR should bring these to the foreground of staff thinking.
Informal databases of customers or prospects need to follow the same rules as the rest of the organisation. The changed rules might just be a chance to get a better grip on datasets kept within the organisation.
Again this is about more than compliance.
A precise data audit is a vital first step in adding big data, machine learning and other functions to systems.
Thirdly you need to ensure that the right people, and only the right people, are accessing this data. Again this is an opportunity to revisit rules and potentially provide better access across the business, with the proper controls in place of course.
Fourthly GDPR requires you to make sure the data is properly protected. By now this process is likely to be almost complete. But you need to ensure that encryption and anonymisation are in place where required – simply relying on a password is no longer good enough.
GDPR provides one final opportunity for your organisation. It requires you to have a plan in place should all of your best efforts fail and you suffer a breach.
That means testing back-up systems really do work. It means creating and practising drills for cyber security. These should be carried out like fire drills so that everyone knows exactly what is expected of them.
Having such policies in place has long been best practice but GDPR is a great chance to get support from the board and from staff across the business.
With all this in place you are not only ready for GDPR.
You should also have carried out all the tasks necessary to provide safe, secure and reliable systems for the whole business. Not only that but you’ve cleaned out databases and duplicate information to provide datasets which are ready for whatever extra functions the business needs in the future.
