GDPR is about action – here’s where to start

Consultations are not the answer to the questions posed by GDPR, says Julian Saunders of PORT.im. What matters is the way we can act now.

Just this week I’ve received a baker’s dozen of emails from various groups offering consultancy advice on ‘getting GDPR ready’. I’ve also been invited to a handful of webinars purporting to ‘guide me through GDPR’ and been given the opportunity to spend a couple of hundred of pounds to listen to a panel of lawyers discussing what GDPR ‘means’. When reading through all the marketing blurb on these ‘opportunities’ it becomes clear that, beyond the ‘top tips’, there is little tangible advice on the technology and action a business needs to take now to become GDPR compliant.

With the May deadline fast approaching, organisations really need to move beyond simply talking about becoming compliant to taking action to get ready.

A major first step is to decide on the data management technology your organisation requires. Most marketing businesses will have a considerable amount of personal data stored on multiple platforms. This can range from client data stored on solutions such as Salesforce, CRM data on Adobe Campaign or Mail Chimp, and, more commonly, reams of information on spreadsheets. It is this latter category that can prove the most troublesome, especially, because a lot of this data will be on personal computers, emails or USB sticks.

To unpick this data web, and get the knowledge you need to decide on the most appropriate technology solution, you need to undertake an audit. This involves mapping the sources of your company data, understanding the processes your staff use to update, use and store data, and what information you require now, and in the future.

After your audit, you’ll be presented with three overarching options – buy a new GDPR solution, build your own bespoke solution, or patch legacy systems. 

If your legacy systems are already creaking, you may consider moving to cloud services as far as practically possible and taking this opportunity to update your tech stack to ease your compliance tasks. Many organisations will make this choice as the enforcement of GDPR demands that they are accountable for all personal data within their control and this will be the easiest way to achieve, maintain, and ensure, compliance.

If you are tempted to adopt cloud services it is worth pointing out that even if the cloud services state they are GDPR compliant this does not mean that a business using the service will automatically become compliant.

Factors you should also consider when you’re picking your technology solution include how difficult it will be to maintain data synchronicity across all your services and create auditable records of data management. Add to this, the time and effort involved in managing data requests for deletion, portability, contests of legal basis and editing, along with the complexity of coordinating incoming customer requests about personal data via multiple channels, and for many organisations, the only option will be a fully integrated, flexible and automated platform.

Put simply, creating your own GDPR solutions can be very complex and costly to design, build and maintain. Privacy regulations will creep over the next few years and maintaining systems to comply will become increasingly onerous.

If you’re planning to purchase technology, one of the most straight forward solutions is an API enabled secure platform. Not only is implementing this type of solution much faster and cheaper, it can, depending on the technology, automatically include audit trails for regulators, and aggregation tools that enable the creation of a single customer view.

Another aspect to look out for is whether encryption is in built. This will relieve a huge burden on your developers, as they will only have to focus on the security of the in-house system.

Connecting internal systems to your solution will vary in complexity. For some older legacy technology systems, specialist technical assistance could be required. The audit at the beginning of your process should reveal this need and allow you to factor in the resources required. Again, an API enabled platform will mitigate the amount of time your developers and IT professionals need to dedicate to linking up your tech.

Of course, buying in or building technology is just one piece of the GDPR puzzle. Privacy by Design principles should be applied across your entire organisation. The security of personal data should become the highest priority. This includes establishing data breach notification procedures, training staff on the correct management of personal data, and setting up processes to ensure that your technical systems have full visibility on all personal data. This means carefully managing scenarios such as the transfer of personal data to laptops or mobiles.

What I’ve covered above is just a snapshot of the choices an organisation needs to take to get GDPR ready. With the clock ticking, it really is essential to move ahead with auditing, setting aside budget for technology and forming a compliance team to make organisational changes. Failing to do so could lead to your business making rushed decisions next year that are very costly to unpick and give your competitors an advantage.