Data and the GDPR: What to do and how to do it
Several weeks ago, the General Data Protection Regulation (GDPR) officially went into effect, forcing companies to implement new initiatives to ensure that the private data of European citizens is protected and used carefully.
The GDPR focuses on how the private data of European citizens is collected and used within your organization as well as data security. If your organization manipulates the private data of European citizens, the new law applies to you, even if data management is not your company’s primary economic activity.
So what does your organization need to do? Here are a few tips and tricks to consider.
Simplify your data collection
To ensure that your organization respects the right to privacy of European citizens, your company should start by doing a full review of your data collection practices. In some cases, companies simply do not need to collect as much data as they currently are and a more minimal approach would allow them to comply with the GDPR while still meeting the same business objectives. For example, maybe your market data shows individual names, while only the name of the company this individual works for would suffice to meet the same business objectives. Same thing for an IoT (Internet of Things) application that saves a user’s IP address. Do you absolutely need this information? In other words, the GDPR encourages organisations to review their data collection practices to collect only as much data as they need to meet their business objectives.
Choose an external partner to facilitate data management
To ensure that they are GDPR-compliant, many companies will choose to do business with an external partner specialized in data protection, masking and virtualization. Doing so will likely be less costly, more advantageous and safer than trying to build and maintain all the required systems in-house.
If you’re relying on an external partner or platform, make sure to read the terms of service carefully. Should a data leak ever occur, the external partner should be responsible legally and not your organization. There are a few exceptions to this, such as for example if the data leak can be traced back to an unauthorized access from within your organization. In this case, your organization would be responsible, and not the external platform or partner.
Use the GDPR as a way to distinguish your organization from its competitors
While being GDPR-compliant will require major changes, the new law could also be an interesting opportunity for your organization. The GDPR could allow your company to pro-actively demonstrate its values by embracing data privacy and going above and beyond to show that your organization is GDPR-compliant. This would help your company distinguish itself from its competitors.
To succeed, it’s almost important that your entire team is involved. Data protection and data privacy is not a single person’s job, but a full team effort. By making sure leaders from your marketing department, HR department, development teams, etc are actively involved, you’ll achieve a better outcome.
Document your efforts
Be prepared for a GDPR-related audit or verification process by documenting ahead of time your new procedures as well as everything you’re putting in place so that your organization is GDPR-compliant. Not only will you save time during an audit, but this documentation could also be useful internally, as it could help new employees understand more easily your company values as well as the procedures you’ve put in place to respect data privacy.
Designate a Data Protection Officer
To help them navigate the GDPR, many organizations are designating a Data Protection Officer (DPO) whose mission is to ensure that the company is GDPR-compliant when it uses data for either commercial purposes (like a marketing campaign, for example) or internally (such as software used by an HR department, for example).
A Data Protection Officer’s role is fluid and multi-faceted. The Officer must work with project leads, executives, the marketing department, the HR department, development teams and any other group that handles or manipulates data. Moreover, the Data Protection Officer must be knowledgeable when it comes to the law, computer science and cybersecurity.
The “Brexit” won’t change anything
Lastly, the upcoming “Brexit”, in which the United Kingdom will exit the European Union in 2019, should have no impact on the General Data Protection Regulation. In theory, after the Brexit, the United Kingdom government could decide to pass an independent law that would abolish the GDPR within the United Kingdom, but this seems unlikely to happen as the law is fairly popular. In other words, the upcoming Brexit should have no impact on your organization’s GDPR-related efforts.
Is your organization ready for the GDPR? Do you have GDPR-related questions or concerns? Let us know in the comments section!