GDPR can be the ruin or the trampoline for your business

GDPR or the EU’s General Data Protection Regulation will be enacted on the 25th of May, 2018. This regulation will be strict but can become a great growth driver.
Why is GDPR so important? The failure to comply with the new rules of customer personal data storage, usage and management might result in huge fines. When we say huge, we mean it, so around 32% of the EU-operating marketing businesses might go bankrupt if forced to pay the fees for improper personal data processing, storing and governing. Why do we say this regulation can become the trampoline to success then?

Because for the first time in the history of the Internet all EU-operating businesses (local and global alike) will have to operate by a clear set of rules. This eliminates any possibility for the discrepancy and removes a multitude of wildly different Privacy Policies. To say even more, it will force all the businesses to update their systems, practices, and data handling workflows, the task long overdue for many of them, and the act that will be hugely beneficial in the long run.

GDPR: short compliance guide

What are the main GDPR requirements then? Here is the list of core GDPR features in simple words (and in no particular order):

• Non-compliance fees are severe and can count up to €20 million or 4% of annual turnover (whichever is greater)
• Every business interaction involving storing personal data of an EU citizen should comply with GDPR. There is no safe haven, regardless of the business registration country
• The data handling processes must be scrutinized to ensure every business has detailed understanding of the data processing workflows in the company and can prove this at any given point
• Every business must have a Data Protection Officer. Are you training your DPO yet?
• The personal data should be gathered with written consent, stored securely, used for a good reason and erased at first customer’s request without undue delay. If you do not use some data — erase it, or ask for clear consent to store it
• Customer relations are way more important than an ad campaign coverage.

This is the extract of the key changes to the existing legislation. More details can be found on the GDPR website.

How to comply with GDPR?

In order to turn GDPR into a trampoline to success, your business should follow a certain roadmap. We list the key points below, though the detailed script will differ for every business.

• Audit the existing data handling processes. This should actually be the first and the last step in your data management loop from now on. Evaluate your existing data processing processes, systems, and workflows. Audit the data models within every system and make a list of all gaps or inconsistencies found.
• Implement the strict data classification. The goal of the initial data audit is to find out the following features of your data processing workflow:
  – the type of the data you deal with. Assess all the data you use, no matter the source, or the state, be it in rest or in motion — all the data your business deals with should be accounted for.
  – the location of the data used. One of the main GDPR requirements is that the business should know the location of any data they hold at any time.
  – the purpose and explicit consent to use the data. You should know exactly what you store and use the customers’ data for, and have their explicit consent for doing this.
  – the data access rights and roles. The privacy policies and rules must be clearly outlined and every employee must know them by heart. You should build a transparent personal data usage model and make sure only the people in the right roles and with the properly authorized rights have access to the data. This ensures the security, efficient data governance and sufficient level of control.
• Issue clear roles for all of your personnel. To execute effective control over the personal data your business uses, you must make sure every member of the staff has the minimal required access to the data, knows what data to use and how to use it.
• Train a DPO or hire one. Many lawyers can become DPO’s with little effort, as they have the technical and legal background to provide guidance regarding the GDPR regulations. A knowledgeable DPO can become quite a valuable asset for your company (you do remember about these €20 million fines if you fail to comply, yes?)
• Ensure the data protection is in place. To protect the data you store, you should enable its encryption, implement the anonymization features and add at least basic pseudonymization capabilities. There are multiple tools for that, so you are free to choose the method and tools that fit you most. Make sure you delete the data you do not use as if you don’t have it — you cannot lose it and don’t have to protect it.
• Provide the transparency and accountability. Document all the procedures and workflows used by your business with regards to the customer data. Have every customer’s written concern to use the data in the first place. Provide transparent assessment methods so the monitoring authorities can always check the compliance.
• Perform a repeat audit. We told about it in the very beginning. Once all the controls and procedures are in place you can check if all the issues of the initial audit are covered. You now must be able to know who, when, how and for what purpose uses every piece of the customer’s personal data, and where the information is stored at any point in time.

Final thoughts on GDPR compliance

As the enaction date comes closer, the deadline rush can be a bad advisor. GDPR can be a ruin for your business should you fail to comply on time. However, if you do implement all the procedures in question, the outcome of the transformation will be quite fruitful for the company in the long run.

It may turn out in order to adjust the data processing practices the business will have to go through a painful and long overdue digital transformation. You might (and, most likely, would) have to drop the legacy systems and move to the cloud, learn to leverage the provider’s security measures and use the latest advances of DevOps technology. All of this will help you build better customer relations, spend less and get better ROI.

You might go for training the internal talents or opt for some contractor services. While this probably seems too scary and unrealistic to be completed, just keep in mind such transformation will cost much less than €20 million or 4% of your annual turnover (whichever is greater).