Understanding the requirements of GDPR is one thing, but being able to translate this into compliance is something else entirely. And of course the larger the organisation, the more complex the process.
With this in mind, what can organisations do to ensure they comply?
1. Map your data flow: conduct an audit
This is perhaps the most important step, and the one which every other element of GDPR compliance is built on. Get the discovery phase right and the rest will follow, get it wrong and the entire process will be beset with problems. By conducting an audit organisations can establish:
This needs to be extremely detailed, right down to the level of where in a building VRNs are stored.
As part of this process, businesses can also determine which legal definition they are processing data under. They will also be able to highlight where they may need to go through a re-consent process with customers, which can act as a great way to reconnect with individuals.
Providing privacy information is already a requirement under the DPA, but GDPR takes it a step further. It has a specific emphasis on making privacy notices understandable, transparent and accessible. Best practice here is to explain with each piece of data collected why it is being collected and how it will be used. This will make it easier for individuals to understand and also be repeatedly informed about how their data is being stored and used.
What remains the same, regardless of the size of organisation or sector, is the need to take the opportunity to help empower customers and build trust. For example, organisations could look to integrate a permissions management dashboard into their privacy policies, which will not only give customers greater control, but will also enable businesses to use data more effectively.
3. Appoint a Data Protection Officer
Having a suitably knowledgeable person or team of people that focus solely on data protection is not a prerequisite of GDPR, but it will hugely help in complying with it and with data management and governance generally.
If there is not someone with this expertise already in the team, then businesses need to act now to train or recruit someone.
Their role will be two-fold, to act as someone individuals can contact regarding their personal data and also to cascade out information about GDPR and data protection across their organisation.
The Data Protection Officer will also be key in helping to gain board level support, as once this is in place then half the battle is already won.
4. Educate everybody
Every single person within an organisation needs to understand the importance of GDPR and that there is a fundamental move within the organisation to treat data differently going forward.
This again demonstrates why a Data Protection Officer is so vital as they will play a pivotal role in ensuring this happens.
As GDPR compliance essentially involves implementing a new data strategy, it is especially important that the board fully understands the impact of GDPR and is on-board with making resources available to implement the changes.
5. Communicate externally
Once everyone internally understands the new data strategy and is aware of the role they need to play, businesses can then communicate their new approach externally.
It is hard to impress how important transparency with customers here is – and not for the sake of compliance with the new regulations, but for the good of the company as a whole.
Talk to us if you want to learn more.Back to Insights
Register here to receive the latest NewsletterRegister