hopscotch board
PHOTO: Jon Tyson

If you’re not already well on your way to GDPR compliance, it’s unlikely you’ll be fully compliant by May 25. But, according to the statistics reported in our first article, you’ll be far from the only one.

While it’s impossible to know how such wide-scale noncompliance will be addressed, there will likely be a grace period in which organizations that can demonstrate they’re making a good-faith effort will get by with a warning and perhaps some guidance on how to accelerate their efforts.

What Should We Focus on Between Now and May 25?

Your best approach is to finalize your plan for compliance and to then start working on the most important parts of that plan so you can clearly demonstrate your intention to comply with GDPR requirements.

Figure Out What Data You Have and Where It Is

The process of identifying what personal data you have, how it’s used and where it’s stored doesn’t have to be complex, but it does have to be thorough. If marketing sends prospect information to sales via email, for example, those emails must be accounted for. Important details include:

  • Which departments/teams collect personal data.
  • Whether the data is stored on site or in the cloud.
  • If data processing is outsourced, the identity of the vendor and the type of system being used.
  • The sources of the data collection (websites, native mobile applications, other digital touchpoints).
  • How different types of data are used and what they’re used for.
  • The identity of any other parties who use or have access to the data.
  • What type of consent was given when the data was collected and where that documentation is stored.

This information (as well as any difficulties you have finding the answers) will give you a good first snapshot of how much work you’ll need to do to become GDPR compliant. In addition, it’s critical to your ability to delete or anonymize a consumer’s data upon request.

Editor's Note: This is the third in a four-part series on the GDPR. Tomorrow's post will look into the world of marketing post-GDPR. Read more of Auvray and Podnar's thoughts on the GDPR in this free whitepaper.

Develop or Update Your Privacy Policy

Your privacy policy should clearly state your alignment with the “spirit of the law” for protecting data privacy. Don’t claim to be compliant if you’re not. Just state your commitment to protecting consumer data and reassure consumers that you’re actively working to meet GDPR requirements.

Create an Action Plan

Identify each GDPR requirement that you’ve not yet met, and assign each one to a “SWAT” team that will be responsible for developing a plan for achieving compliance. Specific items may include:

  • Accountability and governance.
  • Consent and processing.
  • Children.
  • Notifications (customers/internal).
  • Data rights and procedures.
  • Records processing.
  • Privacy by design.
  • Data breach notification.
  • Data localization.
  • Contracting and procurement.

Understand Your Prospect and Customer Data Sources

One of the key prerequisites for GDPR compliance is understanding what personal data you collect and where it is stored. That can seem daunting at first, but it becomes manageable when you break it down into key elements, such as understanding:

  • Who are the departments or teams that operate systems which collect personal data?
  • What type of hardware and software is used to collect the personal data, and is it on the organization’s premises or is it located in the cloud?
  • What are the user-facing sources for data collection? (e.g., websites, native mobile applications, other digital touchpoints, etc.)
  • How is the data processed and for what reason?
  • Where is the data eventually stored and maintained, and if it is sent outside of the organization, to whom and why?
  • Has the prospect or customer consent been requested and obtained? If so, when? And has proof been logged in the system?

This basic information provides a good initial snapshot into an organization’s GDPR readiness. Any level of difficulty in answering these questions is a good indicator that your organization will face challenges in complying with a user’s request for data pseudonymization or deletion, thereby falling short of GDPR compliance.

Identify Your Priorities

Once you have each working group’s plan, identify your priorities based on value to your organization (cost/benefit analysis) and your ability to make quantifiable inroads by May 25.

Document Your Accomplishments

Have each working group document their accomplishments as proof of your good-faith intentions to achieve GDPR compliance.

Is Data Collected Prior to May 25, 2018 Exempt?

No, there is no grandfather clause in the GDPR. Existing data is subject to the same requirements as data you collect after May 25, 2018. Some organizations will choose to address this by asking customers to re-authorize consent based on the new standards. Others may choose to delete existing data and start over with systems that are GDPR-compliant from the outset.

Who Should Be in Charge of GDPR Compliance?

There is no one specific title or position that’s best suited to be in charge of GDPR compliance. In general, the ideal person is someone authorized and endorsed by the CEO or other executive leadership to spearhead GDPR compliance and to monitor and maintain compliance going forward. While the ability to negotiate and build relationships is important, unequivocal support from the C-suite is an absolute necessity.

Can We Buy Any Tools or Services to Help Us Achieve Compliance?

No single tool can help you achieve 100 percent compliance. There are, however, tools that address various aspects — locating and categorizing unstructured personal data hidden in emails, for example. Tools have also been developed for other purposes that make compliance easier. Some CRM platforms, for example, have anonymization features, meaning they irreversibly destroy any way of reconstructing the data and connecting it to a particular individual. Some offer pseudonymization, which cloaks a person’s identity so that additional information is needed to reconnect the data to the related individual.

As for other important and structural software commodities, because both client data privacy management and customer data collection are a core and transversal requirement, standardization and open source projects have been initiated by two of the most trusted communities in the software industry:

Since 2015, under the umbrella of the OASIS standardization consortium, a specific technical committee was chartered to assist organizations that currently struggle to create and deliver consistent personalized experiences across channels, markets and systems with data privacy by design. The Context Server standard (CXS) aims to simplify management, integration and interoperability between solutions providing services like web content management, CRM, big data, machine learning, digital marketing and data management platforms. As a mirror of this standardization initiative, the Apache Unomi project provides the first open source customer data platform and acts as the implementation of the CXS standard while promoting ethical web experience management and increased user privacy controls.

Before purchasing any tool to help with an aspect of GDPR compliance, consult with your subject matter experts to get their input on whether you have the skills you need in-house or whether it would be smarter to purchase a tool — or even outsource — a specific aspect of compliance.