This morning I had the pleasure to attend a presentation and panel discussion organized by Moore Blatch and Carswell Gould on the topic of 'GDPR - Is your business ready?' I think all of us in the audience had a good basic understanding of the implications and were looking forward to the opportunity to discuss specific questions with the specialists on the panel.
The conversation was expertly led by Ed Gould, Creative Director of Carswell Gould. The panelists represented three different approaches to examining GDPR: IT, legal and communications. Of course, the whole nature of the regulation is that it ties together all parts of the business to ensure that handling of personal data is legitimate and secure. But your CTO works in one environment and your marketers in a completely different one and yet divergent stakeholders and activities need to be tied together to achieve the common objective under the new requirements. This may seem daunting at first, but as it became clear as the talk progressed, it is an opportunity, rather than a threat.
I will try to summarize some of the takeaways that I found particularly valuable and would encourage everybody to read the regulation and the wealth of resources on the Information Commissioner's Office website and seek legal advice for a specialist opinion.
If you are starting now, start by mapping your data. Understand what type of personal data your organization holds: how do you acquire it, what do you use it for, where and for how long do you store it for. Note that personally identifiable information does not need to be direct, e.g. names and e-mail addresses, it could also include information that could indirectly identify an individual. This should form the basis of your journey and, most importantly, will provide you an invaluable opportunity to understand your business practices better and identify where improvements can be made.
Consent is extremely important but it is not the only legal basis for data processing. Amongst others, legitimate interest is expected to be one of the most relied-on grounds for business. This should not be abused and is likely depend on the relationship you have with your data subject. You will still need to allow the data subject to object to the processing.
Pursue ISO 27001 certification. This international standard for information security management systems can provide a solid basis for demonstrating compliance with GDPR. You will still need to focus on consent on top of this, but putting the infrastructure in place and reviewing it regularly is good practice to a very high standard. Explore other schemes that can be a beneficial in addition to ISO 27001 as well.
Finally, look at GDPR as an opportunity. An opportunity to clean your data, to build stronger relationship between different functions in your business, to talk to interesting and interested people instead of mass emailing thousands, and an opportunity to show you are a partner to be trusted. Talking to your audience can be made all the more valuable thanks to GDPR 'if you can make it human, you can make it interesting,' to quote Ed Gould.