Home / Legal & Compliance

GDPR – new data protection regulation is coming . . . are you sure you’re ready?

By / Ivanka Menken / In Best practice /

Is your data management strategy set up correctly, completely and in place ready for compliance with the incoming GDPR – new data protection regulation – in May? Ivanka Menken has a checklist of processes that businesses and organisations should go through in order to ensure the customer data they hold complies fully . . . and what to do now if it doesn’t.

The EU General Data Protection Regulation (GDPR) will come into effect from the 25th of May 2018. Irrespective of where you are located in the world, if you collect client data from persons in the EU, the GDPR is now part of your new standard operating procedures.

GDPR is all about personal data and to make sure this personal data is protected from outside attacks. The onus is on the company to prove that they do every reasonable thing to protect their customers’ personal data against misuse – whether you process and store all the data internally, or by engaging a third party supplier or SaaS provider.

What types of privacy data does the GDPR – new data protection regulation – protect?

Basic identity information such as name, address and ID numbers
Web data such as location, IP address, cookie data and RFID tags
Health and genetic data
Biometric data
Racial or ethnic data
Political opinions
Sexual orientation

With businesses performing more and more transactions online, as well as managing many of the business procedures online, the need for strong data protection has become a critical component of the overall business process.

As a savvy professional, it pays to understand the compliance criteria in such a way that you will be able to understand and manage the ongoing compliance requirements beyond May 25th. This date only marks the starting point from which we need to be more vigilant in how we manage, store and process our customer’s personal information.

Looking at GDPR from this point of view means that the management requirements for GDPR can be split up across five different phases. These phases coincide with the general lifecycle of a business process and they loosely align with Deming’s Quality cycle: Plan – Do – Check – Act (PDCA for short).

Plan what you are going to do
Do what you planned for
Check / study and analyse the results of what you did in the previous step
Act accordingly – improve the activities, measurements and expected outcomes.

Phase 1: Recognise the value of GDPR for the overall business

Even though GDPR compliance is mandatory, it still pays to recognise the value for the overall business – approaching the regulation this way means you change your point of view from looking at GDPR as a burden to looking at it as an opportunity that provides value to the overall business.

Example questions you can ask to identify the opportunity GDPR brings to your organisation:

Does GDPR create potential expectations in other areas that need to be recognised and considered?
What does GDPR success mean to the stakeholders?
How does GDPR compliance prevent errors and rework?

Phase 2: Define what GDPR – the new data protection regulation – means within the context of our business

In phase 2 we move from a more generic value-based approach to a more specific business context. What works for one company does not necessary work for a different one, so to avoid the ‘one size fits all’ approach – it’s important to look at the compliance requirements within the context of your company or business.

This approach links GDPR to the business goals and objectives, making it easier to identify cost-savings or efficiency gains of the business processes that deal with personal data.

Example questions to clearly position GDPR within the business context are:

Is the scope of GDPR defined; what are the boundaries? And is the GDPR scope manageable?
Is GDPR implementation linked to key business goals and objectives?
How does your organisation fall under the scope of GDPR? (Especially when your business is outside of the EU)
Does senior management understand the importance of GDPR?

Phase 3: Measure & analyse how GDPR compliance is currently performed

This phase might be the most important part of the whole approach. With fines of up to 4% of global turnover, the implications of not correctly complying with GDPR are massive.

First of all we need to understand how we can measure GDPR compliance. This means doing an audit on our customers’ data and how we process and store this data.

You can’t manage what you can’t measure, so identifying a way to measure and analyse GDPR compliance is the first important step to take.

Examples of questions to ask are:

What are the uncertainties surrounding estimates of impact of GDPR compliance?
What current systems have to be understood and/or changed?
Can we comply with GDPR without complex and expensive analysis?
Do you know where your data is today?

Phase 4: Improve the GDPR compliance processes

Once you know the actual data that falls under the GDPR remit, you can create a process improvement system. The way we use data online changes constantly, which means we need to constantly reassess our data management and data storage processes. This also includes the way we hand over data to our vendors and third party outsourced partners.

The questions we ask in this phase are all around improvement and progress – not being satisfied with the status quo and constantly looking for better ways to manage our customers’ personal data in line with GDPR compliance.

Are we able to answer a regulator asking ‘where did you get the data and how did the data subject agree to it being collected’?
Are we making progress? If so, how do we know?
What are the revised rough estimates of the financial savings/opportunity for GDPR improvements?

Phase 5: Control and sustain the data engineering objectives

This final phase will tie all the previous steps together and adds a layer of control over the processes. GDPR is not a one-off project to find out how your business scores towards compliance. It is an ongoing and constantly changing set of rules and regulations that you need to continue to comply with.

That’s why the questions in this phase are future-looking; solidifying what we are currently doing and building a series of processes and procedures that enable us to sustain our level of compliance, irrespective of changes in the legislation.

Once you’ve completed this step, you are on your way towards a strong and healthy future for your business.

How will we ensure seamless interoperability of GDPR moving forward?
What are the current penalties for non-compliance?
Are we changing as fast as the world around us?

Using a 5-phase approach like this ensures you’re approaching the GDPR compliance from every angle and you’re building a healthy future-proofed business.

Click the image for details of how to purchase.

Ivanka Menken is the author of GDPR Practical Tools for Self Assessment, now available for purchase.

Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.

GDPR, compliance and much more will be under discussion at our MINT Data Driven Marketing Summit on Wednesday April 18 in central London. GMA readers can get £100 off the ticket price. Book NOW to hear top-level speakers share their knowledge about GDPR, innovation and the new data economy.

Username

Basic Information

First Name *

Last Name *

Company *

Job Title *

Country *

Account Information

Password

Confirm Password

E-mail Address

Confirm E-mail

Biographical Info

Share a little biographical information to fill out your profile. This may be shown publicly.

Terms and Conditions

Terms and conditions – website usage

Welcome to the Global Marketing Alliance (GMA). The GMA website is a product of the Global Marketing Alliance Ltd. If you continue to browse and use this website, you are agreeing to comply with the following terms and conditions of use, which together with our privacy policy, govern GMA’s dealings with you in relation to this website. If you disagree with any part of these terms and conditions, please do not use our website.

GMA may amend these Terms and Conditions at any time by posting the amended Terms and Conditions on the GMA site.

The term GMA or ‘us’ or ‘we’ refers to the owner of the website whose registered office is at 7a Queen Street, Godalming, Surrey, GU7 1BA, UK. The term ‘you’ refers to the user or viewer of our website or to those who become members of GMA.

The use of this website is subject to the following terms of use:

The content of the pages of this website is for your general information and use only. It is subject to change without notice.
The information provided and the opinions expressed in this website represent the views of the authors and contributors.
Neither we nor any third parties provide any warranty or guarantee as to the accuracy, timeliness, performance, completeness or suitability of the information and materials found or offered on this website for any particular purpose. We are not liable for any inaccuracies or errors.
Your use of any information or materials on this website is entirely at your own risk, it is your responsibility to check that the information available meets your requirements.
This website contains material which is owned by or licensed to us. This material includes, but is not limited to, the design, layout, look, appearance and graphics. Reproduction is prohibited other than in accordance with the copyright notice, which forms part of these terms and conditions.
Information on this site may be contributed by our members or other contributors (including in blogs). We do not control the information they provide and are not responsible for the views expressed
If you believe that your intellectual property rights have been infringed on this site please notify us. We accept no liability for infringements as a result of user generated content but we will take reasonable action to remove such content where possible.
Unauthorised use of this website may give rise to a claim for damages and/or be a criminal offence.
Every effort is made to keep the website up and running smoothly. However, we take no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.
We reserve the right to refuse, suspend or cancel your access to the site at any time and without notice.
If you are acting as an employee, you warrant that you are authorised to enter into legally binding contracts on behalf of your employer. You further warrant that your employer agrees to be bound by these Terms and Conditions.
Purchases of training products or delegate places at events advertised on this site are subject to the terms and conditions of the providers.
Your use of this website and any dispute arising out of such use of the website is subject to the laws of England, Northern Ireland, Scotland and Wales.

Copyright notice

Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following:

you may print extracts for your personal and non-commercial use only
you may refer to and quote from the content for review or reference purposes within the limits of “fair dealing”, but only if you acknowledge the website as the source of the material
You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.

I agree to the Terms and Conditions

Full Name LEAVE THIS BLANK

I agree to the Terms and Conditions

Author: Ivanka Menken

CEO and co-founder at The Art of Service | www.theartofservice.com

Ivanka Menken is a serial entrepreneur and the owner and co-founder of The Art of Service since 2000. She specialises in creating organisations that manage their services in a sustainable and customer-driven manner. With 20+ years of management consultancy experience and an education degree, Ivanka Menken has been instrumental in many organisational change management projects in The Netherlands, USA, Canada, New Zealand and Australia for both government agencies and private corporations. She believes that education and training is at the foundation of every successful enterprise. Menken is an accredited PRINCE2 Project Management trainer, course author and consultant and has been a guest lecturer for a number of Queensland universities on the subject of IT Service Management and Organisational Change Management and proudly featured as one of ‘Australia’s 50 Influential Women Entrepreneurs’ in 2016. While running The Art of Service, Menken authored a number of publications on IT Service Management, Cloud Computing and Customer Service. She also completed her Entrepreneurial Masters Program at MIT and served on the board as the second-ever female president of the local Entrepreneur’s Organization chapter.

GDPR – new data protection regulation is coming . . . are you sure you’re ready?

What types of privacy data does the GDPR – new data protection regulation – protect?

Phase 1: Recognise the value of GDPR for the overall business

Phase 2: Define what GDPR – the new data protection regulation – means within the context of our business

Phase 3: Measure & analyse how GDPR compliance is currently performed

Phase 4: Improve the GDPR compliance processes

Phase 5: Control and sustain the data engineering objectives