Rather like exam revision or tax returns, GDPR can inspire an uncomfortable mixture of boredom and fear.
On one hand, it’s an abbreviation that relates to European rules about data management, so how interesting can it be, right? On the other hand, the General Data Protection Regulation is a law, not a guideline, and the cost of failing to comply is definitely not boring. Get it wrong and you could be fined up to €20 million or four per cent of your annual turnover, whichever is higher.
If you can afford to pay a €20 million fine – and your company can take the associated reputational hit – good for you! You can stop paying attention now.
For everyone else, there are two options. The first is the Wetherspoon approach, which is to delete your customer database and resolve to stop sending out any targeted marketing campaigns. This is actually an effective way of dealing with the issue – if you’re not deriving real business benefits from all that data, why expose yourself to the risk of keeping it?
But for most companies, that data is far too valuable to discard. For them, the only realistic option is to make sure they’re compliant with GDPR before it goes live on the 25th of May.
Five golden rules of GDPR preparation
We won’t explore the minutiae of GDPR here. There’s a wealth of information available elsewhere, including a detailed description of the rules on the European Commission website, some useful guidance from the Information Commissioner’s Office and some practical guidance on our own GDPR resource centre.
Instead, we’ve put together a checklist of five things to cover as part of your GDPR preparation. You really should be doing these five things already; if you’re not, you should start straight away.
- Increase awareness within your business – Key stakeholders across your business must understand what GDPR is and what its implications are for their activities. Ignorance will not be an acceptable defence.
- Assess your organisation – Audit the information you hold and review your existing privacy and security procedures, so you have a clear picture of any changes you’ll need to make.
- Define the lawful grounds – Once you’ve done your audit, you’ll need to identify on what legal grounds you can process personal data. These grounds will be one of the following: consent, contract, legal obligation, public interest, or legitimate interest.
- Establish control – GDPR gives people enhanced rights to access their data so you’ll need to review your privacy and data protection procedures to ensure they provide for these rights.
- Document compliance – You must be able to demonstrate that you comply with GDPR and this includes proving you’ve considered how the rules apply to all the data processing you do.
If you’re still using spreadsheets and crossed fingers to manage your customer data, you could be facing a real challenge to be ready in time for the 25th of May. If you’re already using technology like CRM, you might find it an invaluable tool in your efforts to make yourself GDPR compliant.
For more detail about our five golden rules, why not download our GDPR checklist? And whatever you do, don’t delay – just like your next tax return, the 25th of May will come around quicker than you’d think.