My top ten rules for surviving GDPR as a business
The European Union’s General Data Protection Regulation (GDPR) is a step change for privacy and will have a major impact on how all companies collect and use data to sell products or services in Europe. The sweeping regulation marks the biggest change to data protection in the continent in two decades, and puts the citizen in control of their data.
This article sets out Sympatico’s ten golden rules for businesses seeking guidance with the GDPR, it’s designed to help you survive and ultimately comply with a complex and at times onerous regulation.
“Because I think it’s clear that a lot people feel they’ve lost control of their own data. People feel that keeping control of their most important information used to be simple, but that over the years, their sense of power over their personal data has slipped its moorings.” Elizabeth Denham, The Information Commissioner.
The Regulation in a Nutshell
- GDPR came into force throughout the European Union (EU) and European Economic Area (EEA) on 25th May 2018
- Data protection is being harmonised, strengthened and updated for the digital age
- Personal data: information by which an individual can be directly or indirectly identified now has a wider definition, which includes things like an IP address
- Organisations that collect data (“data controllers”) or store and processes data (“data processors”) on European citizens must comply. A processor acts on behalf of the controller who determines the purposes (the why) and means (the how) of processing
- Organisations must have a valid lawful basis for processing personal data; there are six lawful bases and controllers need to determine their basis and document it
- Sanctions for non compliance are hefty: up to 4% of turnover or €20 million (whichever is higher); in the UK, the Information Commissioner’s Office (ICO) will enforce
- Extra-territorial reach: GDPR primarily applies to businesses established in the EU, but it will also apply to businesses based outside Europe that offer goods and services, or monitor individuals, in the EU
- Individuals now have the right to: be informed, have access, rectification, erasure, restrict processing, portability and object, when it comes to their data
- Data Protection Officers (DPO): you need to appoint one if you are a public authority or you carry out large scale data activities; DPOs must retain independence
- If there is a personal data breach which is likely to result in a risk to the rights and freedoms of individuals, you have to notify the ICO and those affected within 72 hours.
RULE #1: KEEP YOUR CUSTOMER AT HEART
“Make the customer the hero of your story.” Ann Handley
It’s easy to say ‘we are customer driven’ but it’s much harder to embody and with the day-to-day running of an a business, we can lose sight of customers’ needs. Today, mass processing of personal data has become simply another business as usual administrative activity. We can forget this data typically belongs to our customers, our stakeholders; the GDPR rightly shifts ownership of that information back into that individual’s hands. The Regulation places a much stronger emphasis on making sure people are kept informed and have a say on what is done with their information; after all, it’s theirs. Rule one: be a careful custodian of your customers’ precious data. Embrace this spirit as the protector of information, ensure customers and employees are at the heart of decisions about data processing, and you will be on the right path to upholding Article 5 of the GDPR.
RULE #2: BUILD A STRONG FOUNDATION
“There are only two types of companies: those that have been hacked and those that will be.” Robert Mueller former FBI Director
Rule two: don’t mess around when it comes to security, to comply with the GDPR you must safeguard personal data. The security principle of the regulation demands that you take ‘appropriate technical and organisational measures’ to protect personal data, which could include things like pseudonymisation and encryption, ensuring your systems and processes are resilient, or having the right policies in place. Think ‘Privacy by Design’ or at least by default, and bake in principles of security and confidentiality from the start. Cyber security is a huge topic in it’s own right, and for most businesses having a resilient approach to your information should be foundational. Without this you may be vulnerable to ever increasing cyber threats which could cause you major business disruption, loss, and undermine your reputation. Whether you are a controller or a processor, get a handle on your security, get the foundations right; for a good place to start check out Cyber Essentials.
RULE #3: KNOW YOUR BUSINESS; UNDERSTAND YOUR DATA
“Details create the big picture” Sanford I Weill
If you don’t have a good grasp on what data you have, you’re going to struggle to comply with the GDPR. How would you respond to a breach, how would you answer to the regulator, if you don’t know what your organisational data looks like today? Getting to grips with your data can feel daunting, but once you have created your inventory and worked out that the what’s, who’s, why’s, how’s and legal bases of your data you will be in a much better position, not only to comply with the GDPR, but as a business who has clear oversight on your operations. The task of mapping and auditing data will not only be critical in your path to compliance but likely highlight business inefficiencies, risks and questions which are invaluable for organisational improvement or greater controls. Rule three: document your company’s data inventory, work out the flows, and keep that data map up to date.
RULE #4: GET YOUR HOUSE IN ORDER WITH GOOD HOUSE KEEPING
“The guy who knows about computers is the last person you want to have creating documentation for people who don’t understand computers.” Adam Osborne
Rule number four is all about accountability, and that means good governance. It’s not enough to say you comply, as a business you legally need to demonstrate that and show your workings to the ICO should they ask. That’s all about getting your house in order with clear documentation, so get ready to create your ‘GDPR folder’ if you haven’t already. Here are some examples of things you should be documenting (and yes that means in writing) as a compliant organisation, where relevant:
- Your lawful basis for processing data (and be sure to then include that in your privacy notice)
- Processing activities
- Records of consent
- Details of staff training
- Data Protection Impact Assessment (DPIA) reports
- Record of personal data breaches
- Compliant staff policies: Data breach incident plan, Data protection, Social Media etc.
- Data audits reports and maps
- GDPR plans, tests and updates for compliance.
And don’t forget that records need to be kept-up-to date, so it’s practical to keep documents in electronic format and build in reviews, dynamic links and processes which mean that they will be treated at usable, living documents; rather than dusty files in the corner of the office. And lastly, make sure they are not full of IT or legal jargon: keep them straight forward and intelligible.
RULE #5: WHEN IT COMES TO YOUR SUPPLIERS: DON’T ASSUME
“Assumptions are the termites of relationships” Henry Winkler
Rule five underlines the importance of your responsibilities when it comes to choosing your suppliers, cloud providers or partners who process your data as a controller. Suppliers are often the source of breaches. GDPR obliges you to ensure your contracts with processors comply with the Regulation, and there’s an expectation that you choose partners wisely. And if the worst should happen, you will want to ensure your contracts are clear on liability — so no assumptions. Part of your compliance plan should be vetting your existing supply chain, carrying out due diligence on new partners and reviewing contracts.
RULE #6: DON’T FORGET YOUR PEOPLE: BUILD A CULTURE OF PRIVACY
“Employees are a company’s greatest asset — they’re your competitive advantage. You want to attract and retain the best; provide them with encouragement, stimulus, and make them feel that they are an integral part of the company’s mission.” Anne M Mulchay
Processes, the best tech and the most eloquently written policies in the world mean very little if your people aren’t on board with why compliance matters. Rule six: work on the hearts as well as the minds, design a communication plan to sit alongside data protection training; bring policies to life — show people their vital role in upholding privacy as a key part of your business processes, your reputation, your mission. Think about how you can create internal advocates of privacy who will help champion its cause and explain why privacy, trust, your reputation and your customers are all inherently linked. Forge a culture where doing the right thing (by the law, by the citizen) is at the heart of your ethos and where people don’t play fast and loose with high risk. People don’t blindly follow dry rules and dusty policies, but if your company creates an ethos of excellence when it comes to key procedures, you will lessen the chance for careless mistakes and improve your chance of a sustainable compliant model.
RULE #7: BUILD RESILIENCE: FOREWARNED IS FOREARMED
“For every lock, there is someone out there trying pick it or break in” David Bernstein
Rule number seven sets out that if you are handling personal data as a business, you should be be taking privacy much more seriously with a risk-based approach. Whether you use a formal process or not, as an organisation you will naturally weigh up risk and reward, but with GDPR if you are carrying out “high risk” processing, you need to carry out a Privacy Impact Assessment (PIA) and, in some cases, consult the ICO. So think about privacy from the outset, design your systems around protecting the data subjects’ rights, and carefully consider for any risks. This comes down to some fundamentals of project and risk management: plan, build strong capability to deal with any outcome, and you will be much better prepared should the worst happen with a breach.
RULE #8: KISS: KEEP IT SIMPLE (STUPID)
“Any intelligent fool can make things bigger, more complex… It takes a touch of genius — and a lot of courage to move in the opposite direction.” EF Schumacher
Good data management is a discipline, it demands a clear and decisive view of what you need as a business and no more. You should only be collecting and keeping the personal data you need under GDPR (this relates to the principle of minimisation), and that data should be accessible. That can give you a great excuse and mandate to clear out the old. Review legacy data, systems and processes and have a clear eye on the rest of your organisational operations; ask yourself:
- Is there data my business has acquired but doesn’t need?
- Am I over-engineering my processes? (That includes compliance)
- Do I have legacy technology, databases and suppliers that I no longer need as a business? Could that be holding us back?
To be keep compliance as ‘easy’ as possible you will need to have a comprehensive view of your business operations’: your tools and technology, your supply chain, your assets, your people, your processes. If that looks like spaghetti, complying is going to be tough. Rule eight: use compliance as a great excuse to streamline your organisation, to gain control, to innovate, to modernise and simplify to power greater agility.
RULE #9: BE HOLISTIC
“Great things in business are never done by one person. They’re done by a team of people.” Steve Jobs
The key to getting rule nine right is understanding that the GDPR is not just a legal issue; if you understand the sentiment of the Regulation by this point, you will see that it impacts Marketing, Sales, IT, Risk, Procurement, HR and ultimately the business owner/the Board. Businesses that fail to understand that compliance is a team sport, or simply expect legal to fix it will not be able to operationalise the changes which proper compliance bring. As an organisation wishing to not only achieve but then successfully sustain compliance, you need to break down silos and join forces to embed privacy in your culture, processes and systems. As a smaller business, you need to take a multi-skills based, cross functional approach from the top.
RULE #10: GET READY FOR THE LONG HAUL: IT’S A JOURNEY
“Do the difficult things while they are easy and do the great things while they are small. A journey of a thousand miles must begin with a single step.” Lao Tzu
GDPR compliance is complex and multifaceted, it impacts many parts of an organisation. Like a business, being compliant never stands still — you need to work at it. Risk management, making sure your people support processes, data security, ensuring your marketing follows the rules in a dynamic data protection environment is going to be an ongoing and iterative task. So while you may have used a project to implement the changes to get you to May 2018, rule ten sets out that a programmatic and cultural shift approach to privacy is required for long-term resilience and compliance.
Whether your business is large or small, I hope you have found Sympatico’s top ten rules useful for your GDPR implementation and ongoing compliance. To sum up, compliance is a simple equation:
Strong capabilities + Streamlined processes + Diligent record keeping = Compliance
Underscored by: organisational culture which champions privacy
…But in reality, I know that keeping up with the complex and evolving rules and regulations of data protection, auditing your data, checking your processes, vetting suppliers, and keeping your customers informed and happy, can be extremely hard work whilst successfully running your business and doing your day job. That’s why I advocate an holistic approach which involves your whole organisation, to balance risk and agility for processes which work and are tailored for you as a business. Don’t neglect the basics, build essential capability from the ground up, but don’t be tempted to over complicate things — what you design needs to function and evolve in the real world.