Some organisations were under huge pressure to implement systems and processes to meet their immediate GDPR obligations by the regulatory deadline. So much so that, except where GDPR demanded it, their planning horizons stopped at the go-live date. With the focus on ‘compliance’, some organisations overlooked that GDPR could be a differentiator and give a reputational boost for the company; among employees, customers, suppliers and even the regulatory authorities.
This ‘getting it over the line’ compliance approach also often neglected to think of the long term view of GDPR preparations; how should an organisation maintain its GDPR position and keep it as a differentiator for customers.
GDPR-related situations and questions
Do your staff know what they can and can’t do as a result of the new regulations? We’ve seen examples of helpdesk staff blaming GDPR for their inability to respond adequately. Customer interactions were suffering because of basic misunderstandings. We also heard of health professionals providing flu jabs in a school being refused personal data about the children because of fear of GDPR infringement. That particular case highlights the need for inter-agency or inter-company agreements within the GDPR framework.
The importance of data management
Late in 2017, CGI UK commissioned and directed the Centre for Economics and Business Research (Cebr) and Opinium to conduct a survey and research around attitudes towards and preparedness for GDPR. Opinium surveyed 250 UK businesses with 29% of survey respondents drawn from companies with more than 2,499 employees and 72% from companies with more than 249 employees.
One of the questions focused on the businesses’ ability to prove that it had good business reasons for retaining data. The responses showed a spread of confidence.
In order to stay in command of their data assets, companies need to manage them in a similar way to other assets such as premises, vehicles and stock. This ensures that the full benefits of the GDPR-inspired transition will be achieved.
A major key to success with GDPR is to stop treating it as a separate entity. For example, your call centre doesn’t ‘do GDPR’; it takes customers through security checks. Once you formalise the necessary processes and bake them into your culture, then you will fulfil all your obligations under the regulation quite naturally and with little fuss. This may require some effort in the first instance; especially for those who have weak data management systems.
This transition effort will touch many, if not all, divisions and departments of a company, this means that leadership needs to come from the top. It cannot be devolved to the security, privacy, legal, compliance, HR or IT folk. They will all be involved, but without board level financial and leadership support, commitment and implementation would prove difficult.
Making it happen
At the heart of any well-organised business lies an intimate knowledge of where data is stored, whether the organisation needs it, and what it does with it.
In the broadest terms, it has two repositories – one, which will be spread around, containing the data itself and another which holds the metadata which points to this data and holds key information about it. The metadata repository is a vital tool for access to and management of the data that helps drive the business. If it doesn’t exist, it will need to be created.
To meet the requirements of GDPR and the upcoming ePrivacy law, a well maintained metadata store will provide access to all elements of data which relate to an individual. It will hold information related to the collection, use, retention and disposal of that data. It could allow for the automation of the response to a Subject Access Request (SAR). And, in many cases, its remit will stretch into the supply chain; to entities that hold or process personal information on your behalf.
It’s one thing to set this up in order to meet the immediate requirements of GDPR but, in order for it to become an integral part of the business, companies need to create the right processes to manage it and keep it up to date. This could be the trigger for the harmonisation of all of a company’s data management systems, including this personal data one. A single centralised metadata repository could provide a valuable trusted service to all departments and do much to streamline business operations and reduce data bloat.
In addition to sorting out the data management, it’s important to apply effective change management by also addressing the needs of employees. They need to understand the new processes and how they will be affected. This requires a layered approach to education and training, depending on the individual’s role. At the minimum it will come through internal communications, possibly driven by HR. And at the maximum, it will involve supplementary training for all staff that deal with personal information and show them how to enhance the customer experience through effective data privacy.
By getting on top of the personal data issue in this way, GDPR and ePrivacy will be subsumed into ‘business as usual’ (BAU). Your company will be able to demonstrate its data quality, its responsible approach and its ethical stance, thereby earning trust and improving its reputation with employees, customers, suppliers and the regulatory authorities.
About this author
Head of Cyber Security Services
Richard leads cyber security services for CGI in the UK. The group provides a balanced portfolio of services across a broad range of sectors from Defence and Intelligence, Energy and Utilities, as well as the commercial sector. Engagements include the design and delivery of major ...