Driving forward on the GDPR journey

By Austen Clark, managing director of Clark Integrated Technologies

GDPR has arrived, and it’s here to stay.

It has come into force without the sky falling in: we are still doing business as before, but with the understanding that we have new data protection rules to adhere to. The business world has woken up to the topic and GDPR is often heard in conversation and referenced.

May 25 was the start date, and not the end, of GDPR compliance and SMEs should sustain their compliance processes over time. It’s an ongoing exercise, it didn’t just start and end on one date in May.

Look on it as a journey to GDPR conformity in which you continue and maintain your efforts towards a longer-term goal. Be able to prove that you’ve taken the right steps and be able to document and evidence them. Review as necessary and tap into all the help, support and guidance that is available out there.

We’ve seen much in the media about severe fines that could be imposed for non-compliance, and warnings to businesses that they could lose customers by bringing their consents to the GDPR standard.

Despite the popular weight of opinion in the media and the scaremongering around the subject, I was one of those that looked positively towards GDPR and it being a whole new era for personal data protection.

All along I’ve encouraged leaders to consider the opportunities that arise from this legislative overhaul in data protection – organisations will have better engagement with customers which will, in turn, build customer trust.

Every week there is a new story about a company harvesting customer data without them knowing. GDPR is great chance to develop confidence and demonstrate robust processes and systems are in place for handling personal data.

Compliance shows your business has ethical practices when it comes to marketing communications and handling personal data. Compliance reinforces and strengthens your credibility not only with your customers but also suppliers and partners.

Think about making the most of the new opportunities, from cleansing databases to building trust. While GDPR does mean making changes, realigning IT processes around personal data can help with digital transformation and the modernisation of out-of-date processes. Ultimately, aligning GDPR programmes with IT modernisation could deliver savings, operational benefits and boost productivity beyond a tick-box exercise of ‘just being compliant’.

GDPR can, and should in my opinion, be viewed as a route towards positive business transformation, instead of being unnecessary bureaucracy or a hindrance to business.

But what if your business feels lost, or you believe you still have some way to go on your journey? Let me reassure you – keep on going and you will reach the finishing line.

This five-point plan should help you visualise the path to reach continual compliance – you may be beyond the first stages already, but stay on the road, keep moving forward and you will get to your destination.

Audit – A mapping exercise is the starting point. Ask yourself what personal data does your business hold and what do you do with it; identify the roles and responsibilities that will be involved; gain buy-in from senior management and carry out a risk assessment based on GDPR.

Report – Once you understand what information you have, what you do with it and how often, you need to identify the most appropriate legal basis for its processing, and document it. That allows for the creation of a Data Protection Statement, or Privacy Notice, which can be made available to view by anyone.

Action – Think ‘tick-boxes’ for marketing. For example, someone adding their details to place an order needs to be able to control consent on whether their personal details end up on a data base for marketing. Requests for consent needs to be clearer and well-defined.

Compliance – Demonstrate that you have in place the measures to ensure that good practice is being followed. Gaining the certification of a national accredited body will show that your business has both technical and organisational measures in place. You could register with the Information Commissioner’s Office (ICO); this voluntary registration can be a good indicator to your customers. Let the world know about it – share any accreditation ‘badge’ by including it on your website, letterheads, email footers or social media platforms.

Continual Compliance – Think quarterly audits and consider gaining further accreditation to the next, more advanced, level. Use the knowledge and expertise gained in all future processes.

We’ve all had a barrage of emails in our inboxes asking for permission to continue to receive communications from all kinds of businesses and it’s clear that in many organisations, consent requests are now in place so good progress is being made.

However, there’s certainly more guidance that needs to be given to clarify what can and cannot be done under the banner of marketing, particularly around the subjects of B2B and legitimate interest.

And there are still organisations that have yet to square up to the regulation. While it’s difficult to put a figure on that, 25% has been suggested, and I suspect many of them are small businesses that feel out of their depth on the topic or fear the cost implications of complying to what is, after all, the biggest shake up of data protection law in a generation.

From our own experience, we’ve seen some businesses accepting of the fact that they need to comply, but when costs are spoken about they defer decisions. There’s no longer time to defer. The ICO will be looking to enforce their powers – this must come soon – as without this they will look weak. But who will be the first to come under their spotlight?

If you’ve still to act, my advice would be to get going now. You may find the following guide from the ICO helpful:


Clark IT: www.clark-it.com