Seven Steps to Sustainable GDPR Compliance
There was a scramble to get customers to opt in before the General Data Protection Regulation (GDPR) came into force in May 2018. However, many organisations will have failed to meet a key requirement of GDPR: data protection by design and by default, also known as privacy by design.
Have you ensured that privacy is baked in to all your business processes, so it is routinely protected?
GDPR guidance often suggests starting with the user data and the consents you have. They're good inputs to the compliance process, but we believe that the key to success is focusing on how data is used.
Here is our 7 step guide to achieving sustainable GDPR compliance.
- Identify data entry points: Map where customer data enters the organisation, and check what customers consent to as they give you information at these points.
- Follow the data: Work out what happens to the customer's information next. Different departments may use the same data for different purposes. The sales team might use an address for shipping orders, for example, and the marketing team might use it for event invitations.
- Identify the hot spots: Don't attempt to tackle the whole organisation at the same time. It is better to divide the task into manageable projects, and complete each one thoroughly. Your existing databases and consents can help identify the hot spots where you have the most data, the most personal data, or may have the greatest deviation from compliance.
- Interview the process owners: Ask them how they use and may wish to use the customer data they have, and find out what data they actually require for their processes. In many cases, the use of data may have evolved while the documentation has stayed the same. This step may identify products or processes in the organisation that do not have an owner. It is difficult to ensure data protection in a process if there is nobody responsible it.
- Identify the gaps: Compare the data you gather with the data that process owners require. You may need to start collecting some additional data, but don't be surprised to find you are already gathering some data you don't need. Processes change, and many organisations will find they have zombie data that isn't being used. Eliminating personal data you do not need is best practice, and it may also improve conversion rates if you no longer request it from customers.
- Establish the legal basis for processing your data: You may need to ask customers for additional consent to use their data, and may need to modify the processes where data enters the organisation to seek consent from the start of your relationship with a customer. Note, however, that consent is not the only legal basis for processing data. For example, you may not need consent if you must process the data to meet a legal obligation, or if you need to process data to fulfil a contract.
- Stay on top of data usage: The key to continuous compliance is to stay on top of the organisation's data usage, even as the organisation and its processes change. As new processes are created and existing ones are modified, ensure that they remain in compliance by routinely following the steps in this guide.
If you need help ensuring you meet your GDPR compliance obligations, even as you scale up rapidly, contact us.