GDPR - what does it mean for businesses?

We’re turning the spotlight on the issue of data protection in our next magazine, and examining what the new GDPR regulations mean for local companies.

Here’s a taste of what’s in store, from Neil Hambley, a Shrewsbury based data consultant with over 20 years’ experience working across businesses from start ups and SMEs through to high profile brands such as Halfords, Land Rover, Time Warner and Capita.

Neil is currently helping businesses prepare for the GDPR ahead of May 25^th and is running a series workshops with Shropshire and the Marches Growth Hub.

 

Embracing the GDPR – Structuring an approach

Although new directives were unveiled in 2016 the GDPR is still a shock to businesses in 2018.

Last year KPMG reported that most businesses ‘have no idea what to do about the GDPR and don’t want to grasp the nettle’. Brexit offered a potential get out clause and convenient excuse to turn a blind eye, but 12 months on the GDPR is here, and set to impact on businesses from May 25^th.

Grasping the nettle is now vital! Wading through 200 pages of legislation is not everyone’s cup of tea but deconstructing the regulations can bring clarity and a structured approach for crucial changes come May.

 

 1 – Self evaluate

The GDPR requires organisations to look at themselves and the way they handle data. It places demands on how data is collected, processed, by whom and for what reason.

The ICO recommends Data Protection Impact Assessments; business audits establishing concerns, priorities and a road map for change. Self-assessment is a logical starting point.

2 – Awareness

The GDPR is as much a business ethos as a set of regulations. Organisations need to develop a long-term, ‘data culture’ from the boardroom down. Not just structures and processes, but training and education at all levels.

3 –Roles and responsibilities

Defining roles and responsibilities helps establish awareness. From, ‘Data Protection Officers’ at the helm, ‘Controllers’ with strategic and managerial responsibilities through to ‘Processors’ working with data. The GDPR clearly outlines responsibilities.

4 – Contact rights

A thorny issue! Organisations must define their right to contact individuals (even existing customers), most likely through ‘consent’ or ‘legitimate rights’. DPIAs will help clarify this but expert advice might help. A small cost now could mean huge saving in the future.

Opt-ins and privacy statements also need be reviewed and updated. Guidelines are generally well defined and explained by the ICO.

5 - Data management

Imagine dealing with Search Access Requests, informing customers of every detail stored about them and erasing them within a month – a GDPR requirement.

Think about managing data efficiently and structuring data processing. Allocate resources and responsibilities.

6 – Remember the data!

The GDPR demands that individuals be treated as individuals and it’s easy to forget that how businesses manage data is as important as the data they manage.

Every day 1,600 people die, 18,000 move house and 240 businesses move premises. The average business estimates that 22% of its contact data is inaccurate resulting in a 12% loss of yearly revenue.

Maintaining clean records, removing duplicates, and unnecessary data isn’t just a requirement but a huge benefit, saving money and increasing efficiency. It also helps businesses maintain a clearer view of customers, build trust and remain close to customers that want to be customers. Quality data should be a considerable business asset.

Responding to the GDPR was never going to be easy, but a structured approach now could solve a lot of problems come May. There is still time.