Hands holding jump start connectors with sparks flowing between
PHOTO: Shutterstock

The General Data Protection Rule (GDPR) goes into effect May 25. That's less than four months away for those of you counting. However, according to a report from the UK Government, many of you are not paying attention. The British Government reported Jan. 24 in its "Cyber Security Breaches Survey 2018: Preparations for the new Data Protection Act" that less than half of businesses have made changes to their cybersecurity policies because of GDPR. Further, only 38 percent of businesses had even heard of GDPR. 

So what can you do to ensure your compliance program gets out of the gate fast? Our experts offer these tips.

Know the Four Ps of GDPR Readiness

Rob Perry, vice president of product marketing for ASG Technologies, said companies just getting started should follow his four "P"s:

  • Preparation: First, ask this question: "How much of my data will be affected?" That gives you a baseline from which to work, and you can begin evaluating platforms or solutions.
  • Production: Examine your data sets to determine what changes need to be made to ensure data meets regulatory requirements. Some organizations may gather data they do not actually need and choose to stop collecting this information from consumers. Others can anonymize the data internally. "Still more companies may elect to enlist outside help to manage compliance," Perry said.
  • Performance: Implement process changes and launch new platforms prior to GDPR’s launch date, where possible, Perry said. "This will ensure there are no costly missteps," he added.
  • Persistence: In most organizations, GDPR prep will not be a one-and-done situation. Rather, it will require consistent education and agility from organizations as changes occur.

Related Story: What the GDPR Will Mean for your Bottom Line

Be Realistic About Your Workload

According to Jeff Nicholson, vice president of CRM product marketing at Pega, organizations jumping into the GDPR compliance party late will find it's much more complex than many may initially think. "There is no magic 'easy button' when it comes to the GDPR. Every industry, and arguably every business within every industry, is interpreting the legislation and their own strategy differently. And it gets even more complex when one considers that no two enterprises’ infrastructure and IT landscape are exactly alike," he says. For example, personal customer data is strewn across the business, within a myriad of systems, some old, some really old, some new. Most of it, Nicholson said, is never designed to work together.

Businesses now need a "system to manage the systems" internally that should have six core capabilities when it comes to closing their gaps for GDPR readiness. 

  • Consent
  • Process
  • Data
  • Communication
  • Transparency 
  • Accountability

Related Story: 5 Tips to Avoid Common GDPR Mistakes and Pitfalls

Sharpen Your Consent Model

Organizations need confirmation, or proof, of the agreement to consent to the use of the data provided. They also must document for which data-use purpose. "Best practice will also include the proof of the specific terms of consent that were presented to the data subject at the time of collection," said Nicholson. In some cases, businesses may make an argument of “legitimate interest” as a substitute for explicit consent, he added. 

However, once collected or declared, data subject consent will need to be continuously governed and administered across the business’ systems and processes in accordance with the permissions (or legitimate interests) granted. In this sense, it will be as much about that the business doesn’t do, as what it does, when it comes to future customer profiling activities and interactions, Nicholson added.

Data Collection Across Enterprise 

Discover and identify all the places where individual level customer data may be residing across the entire enterprise. In addition to the master data management (MDM) efforts, provide a new capability to collect and assemble this data — on demand. This happens when a GDPR impacted event such as an Article 15 data subject access request is initiated, according to Nicholson.

"This is no small task. Consider that most businesses have had long-underway '360 degree customer view' initiatives that aspire to serve up a complete record of customer data to front-line employees and internal systems, and it is still not a reality for many brands. Now, with GDPR, businesses will be tasked for the very first time to assemble this 360 degree customer view — but this time, give it directly to the customer," said Nicholson.

Related Story: GPDR Readiness Is All About the Data

Create Information Governance Team

Nigel Tozer, director of solutions marketing for EMEA at Commvault, said organizations should create an information governance team composed of staff with the right skills and business unit perspectives, including IT. This team will help:

  • Develop and implement the policies needed to identify personal data and context
  • Verify if consent was secured to collect this data
  • Adequately protect and secure this data
  • “Forget” or transfer this data if needed
  • Meet other GDPR requirements.

The team should be independent of IT, Tozer said, and report to the chief data officer if such a position exists, or otherwise CEO or board of directors. "Information governance teams need to identify and classify all of their organization’s data. Without this, they will not be able to implement policies that fully protect it based on its need or value to the organization, or whether it should even be stored or processed," said Tozer. 

Creating a detailed and comprehensive view of what personal data you have, where it is and how it is being used, secured and stored, will allow your enterprise to know its GDPR risk exposure. "Once an organization understands this, they can feel confident implementing the strict GDPR policies," Tozer said

Document Your Strategies 

Companies should begin to document how they are protecting personal data throughout its lifecycle. "As one of GDPR’s main requirements is accountability, enterprises must document the processes they have in place to protect personal data from its inception. If an organization wants to fully minimize their GDPR risk, they need to be ready to prove they are both able to meet GDPR’s data privacy requirements and are consistently doing so," said Tozer.

A businesses accountability strategy cannot be an afterthought, Nicholson added. "It has to be in the very bedrock of their processes. GDPR is not about just executing, it’s about providing evidence of compliance to each of the legislations challenging articles," he said.  

Get Bang for Your GDPR Buck

If your team considers technology investments to tackle GDPR, make sure vendors offer other business benefits like storage or cloud savings, increased employee productivity or improved agility. Putting the wrong tech in place, Tozer warns, "will be expensive in the medium to long-term."

Appoint a Data Protection Officer (DPO)

Companies that are engaged in the systematic monitoring of EU data subjects on a large scale will be required to appoint a DPO, according to Doug McPherson, chief administrative officer and general counsel at OpenX

"DPO responsibilities may be assigned to an employee or may be outsourced to a third party. This person will monitor compliance with the GDPR, inform and advise the company and its employees of their obligations under the GDPR and will act as the point person for the supervisory authority, among other things," said McPherson.

Take Note of International Transfers

In addition to their GDPR obligations, US companies that transfer data from the EU to the US must have an approved mechanism for transferring EU personal data to the US, McPherson warns. These could include use of the EU-US and Swiss-US Privacy Shields, standard contractual clauses and binding corporate rules.

Who Comes Out Ahead?

"In the GDPR era, the businesses that will win are the ones that view GDPR not as a compliance issue alone, but as a golden opportunity to drive greater relevance, revenue and retention," said Nicholson.