In a series of blog posts, IBM is coaching businesses with recommendations on how to get into shape so they can thrive in the new data era.
Will your company be ready for the European Union’s General Data Protection Regulation (GDPR) by 25 May?
If the answer is no, then you will have a lot to do and not a lot of time in which to do it, but that doesn’t mean it’s time to panic. Start with your good intentions towards compliance and a well-developed data protection plan and compliance roadmap.
You can model your roadmap on the IBM global GDPR readiness program to help your organization become GDPR ready. Here are some of the components to consider in your data protection roadmap and some of the common mistakes to avoid:
“The coach’s take: “the GDPR creates business value through increased customer trust, more efficient IT processes and stronger employer-employee relationships.””
1: Identify your GDPR stakeholders
Clearly document senior management as well as stakeholders in human resources, legal, payroll, marketing and IT. Stakeholder support for compliance activities will help drive GDPR readiness and ensure you have the right budget to deliver.
Don’t treat GDPR compliance as a “business problem” or a “technology problem.” Instead, in a similar way to the IBM approach to their GDPR readiness, take a holistic approach which covers people, processes and technology. Translate GDPR obligations into clear actions and outcomes that are required to progress toward readiness.
2: Communication and training
Create an organization-wide communication and training plan. IBM has developed a range of internal communication and training initiatives designed to help employees understand their responsibilities. IBM recommends training high-risk employees first, then work with employees with access to less-sensitive data.
Don’t focus on the perceived negative aspects of the GDPR. When communicating with employees about compliance, strive to show the competitive value of privacy and data protection. Ensure that everyone understands the new rules and processes and realizes there are clear business benefits to growing consumer confidence in your organization and its use of their data.
3: Data as a strategic asset
Start by appointing a chief privacy officer (CPO) to lead you toward compliance. A CPO sets standards for data retention, metadata, data architecture and data management and helps implement an IT infrastructure designed to store and access data efficiently.
Don’t assume that merely patching existing business processes or commercial products with fixes such as adding data encryption will be enough. To be truly GDPR ready, “privacy by design” should be your mantra. Whether launching a new commercial offering or building an internal business process, embed data protection principles into each layer and at each step in the product lifecycle. Your plan should clearly document any breach notification processes. A comprehensive data protection strategy is a recommended way to be ready for GDPR.
4: Personal data and risk assessment
At a minimum, to be GDPR-ready you should:
- Clearly understand what constitutes personal data and what it means in the context of your organization.
- Drive personal data discovery and high-level data mapping across the organization.
- Identify the processing activities that are performed on personal data.
- Catalog and protect all personal data.
Don’t get to know your data just because the GDPR says you have to. Take it to the next step. Better data equals better business. For example, your organization could use machine learning and artificial intelligence solutions to find hidden insights.
5: Consent and data subject rights
Develop an awareness of consent processes and data subject rights. Think about how you interact with employees, customers and third parties. In a GDPR world, all communications, transactions and applications that involve personal data require clear, affirmative action on the part of the data subject, and are controlled by at least one of the six forms of legal basis of processing that the GDPR defines. You must provide the capability for people to change or delete their personal data. Learn more from this IBM webinar on consent and rights.
Avoid viewing the development of new consent as a burden. Becoming a data-driven organisation can build brand and business value. Remember, it’s not only about the quantity of your data, but also the quality. A more targeted or personal approach should see your marketing conversion rates increase.
For more from the “Coach,” take a look at the rest of this GDPR series.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.