The EU GDPR isn’t a one-off exam. It’s one you have to be ready to sit every day, every week and every year. Personal data is moving through organisations all the time. And you need to understand what it will take to process it in line with the GDPR, day in, day out.
Privacy is for life. Come 25 May 2018, organisations might have all the spreadsheets, systems and contracts in place, but they must ask themselves: Do they all work? And what about next May? Will your data inventory be up-to-date? Will you have acted on what you’ve learned from handling your first rights requests? Will your suppliers and others still be doing what their contracts say they should be?
Create an operating model around data privacy, with specific capabilities, roles and responsibilities. Organisations need to get their act together, from understanding how they’ll engage with customers and handle their inquiries to knowing how they’d cope minute-to-minute in the wake of a security breach. It’s only by going through this process in detail that you’ll know the full day-to-day impact of the GDPR. At a minimum, your operating model will need to consider:
- how you maintain your inventory;
- how you respond to Individual Rights requests (such as the right to erasure);
- how you check your suppliers are able to meet privacy clauses you put in contracts; and
- how you respond to a regulatory review.
The world is watching. Privacy is on the global agenda and is now a boardroom topic. In any event, trying to split apart how data is managed based on location of citizens is just too complex – international digital commerce knows no boundaries as seen by the revelation that most of Facebooks processing is undertaken in Ireland. The safest response, and arguably the one that customers want, is to apply transparent practices globally.
Create a compliance culture. Compliance is not just about systems and processes, it’s also about culture. If everyone in the business senses that you take this seriously, and understands that each person has a part to play, you’re far more likely to succeed. You can embed this thinking through training, and through individual development objectives. For example, we ran a data breach simulation exercise with a major financial services organisation, which helped teams understand how to work together in the event of a real issue.