Key steps to GDPR success

Understanding the requirements of GDPR is one thing, but being able to translate this into compliance is something else entirely. And of course the larger the organisation, the more complex the process.

With this in mind, what can organisations do to ensure they comply?

1. Map your data flow: conduct an audit

This is perhaps the most important step, and the one which every other element of GDPR compliance is built on. Get the discovery phase right and the rest will follow, get it wrong and the entire process will be beset with problems. By conducting an audit organisations can establish:

  • What data has been collected
  • Where it is being stored
  • Who is using the data
  • Why the data is being collected and its purpose
  • When permission was granted
  • Where permission was granted

This needs to be extremely detailed, right down to the level of where in a building VRNs are stored.

As part of this process, businesses can also determine which legal definition they are processing data under. They will also be able to highlight where they may need to go through a re-consent process with customers, which can act as a great way to reconnect with individuals.

2. Examine your privacy policy

Providing privacy information is already a requirement under the DPA, but GDPR takes it a step further. It has a specific emphasis on making privacy notices understandable, transparent and accessible. Best practice here is to explain with each piece of data collected why it is being collected and how it will be used. This will make it easier for individuals to understand and also be repeatedly informed about how their data is being stored and used.

Of course the level of detail needed in a privacy policy will depend on the type of organisation. For a mail order company who just needs to collect names and addresses it will be fairly straightforward, for a large organisation such as Sky, it will be far more complicated.

What remains the same, regardless of the size of organisation or sector, is the need to take the opportunity to help empower customers and build trust. For example, organisations could look to integrate a permissions management dashboard into their privacy policies, which will not only give customers greater control, but will also enable businesses to use data more effectively.

3. Appoint a Data Protection Officer

Having a suitably knowledgeable person or team of people that focus solely on data protection is not a prerequisite of GDPR, but it will hugely help in complying with it and with data management and governance generally.

If there is not someone with this expertise already in the team, then businesses need to act now to train or recruit someone.

Their role will be two-fold, to act as someone individuals can contact regarding their personal data and also to cascade out information about GDPR and data protection across their organisation.

The Data Protection Officer will also be key in helping to gain board level support, as once this is in place then half the battle is already won.

4. Educate everybody

Every single person within an organisation needs to understand the importance of GDPR and that there is a fundamental move within the organisation to treat data differently going forward.

This again demonstrates why a Data Protection Officer is so vital as they will play a pivotal role in ensuring this happens.

As GDPR compliance essentially involves implementing a new data strategy, it is especially important that the board fully understands the impact of GDPR and is on-board with making resources available to implement the changes.

 5. Communicate externally

Once everyone internally understands the new data strategy and is aware of the role they need to play, businesses can then communicate their new approach externally.

It is hard to impress how important transparency with customers here is – and not for the sake of compliance with the new regulations, but for the good of the company as a whole.

Our current ‘Ask the Experts’ GDPR report has been produced in partnership with one of our Group Companies, Response One and one of our Partner organisations, MyLife Digital.

Talk to us if you want to learn more. 

Back to Insights

Bench Newsletter

Register here to receive the latest Newsletter