Want to cut through the GDPR-related noise and focus your preparations?
Then this blog is for you. In our recent webinar, we summed up our top 5 themes for businesses entering the final 3 months before the regulations come into force.
- Think of GDPR as a useful exercise – not a compliance beast
We surveyed over 200 businesses about their GDPR preparation. The results are noteworthy: 77% are aware of GDPR but only 33% felt compliant. In other words, there’s mounting anxiety as the 25th May deadline approaches, rooted in the sense that achieving compliance is a massive undertaking.
For example, many people are unaware of how GDPR will affect their business and what will happen if they’re not compliant. Others are confused about all the information flooding the market. And yet others are worried about budget and resource to get ready and manage ongoing compliance.
Yes, these are valid concerns – and since most businesses use personal data across departments, time and budget are certainly required. However, it’s important to remember that getting GDPR-ready is a useful exercise outside of the compliance requirement because it forces you to take stock of your processes. And that means that, when you follow the right roadmap using the right technology, you open up future opportunities for the business.
2. There won’t be a grace period – you need to be preparing now
It matters if you’re not ready on 25th May. The onboarding period actually started 2 years ago.
Remember, GDPR builds on the privacy and security principles you should already adhere to under the Data Protection Act. If you’re compliant with that, you don’t have far to go for GDPR.
3. You need to understand the difference between a data subject, a data processer and a data controller
Much of the confusion I see comes because people don’t know the GDPR terminology. It’s not as complicated as it seems.
We are all data subjects – the people that companies keep data on.
A data controller decides what to do with the personal data.
A data processor carries out actions with the data – like collecting it, holding it or using it in business activities. Processors can be technology solutions and platforms as well as people.
Companies are often both data controllers and data processors.
Each has legal obligations under GDPR. For example, processors are required to maintain records of personal data and processing activities, and they’re liable if responsible for a breach. Data controllers must ensure their contracts with processors comply with the regulations.
4. Know your customers’ rights – and make the most of them
Under GDPR, data subjects have rights, and you need to be aware so you can fulfil your obligations if someone exercises them.
- Right to be forgotten: any customer can contact you and ask for their data to be deleted. You need to be able to do this quickly, so make sure your data siloes are connected so you can easily see all the places personal data is stored.
- Right to access: users have the right to access any information you store about them. Again, it’s important that you link your data siloes so it’s easy for you to comply with requests if, for example, you have marketing data in an email system and transaction data in an EPOS system.
- Right to rectification: anyone can contact you asking that you correct the information you hold. Consider having a portal that allows people to edit their own details to improve your service and free up internal resource.
5. Don’t forget: GDPR presents opportunities to excel
Put data protection and information security at the heart of your brand. Find new ways for customers to self-serve. Break down data siloes and discover operational efficiencies.
The process of preparing for and complying with GDPR offers you a valuable opportunity to improve the customer experience and boost brand value. Why not make this your competitive advantage?
Watch our GDPR webinar for more practical tips
Get advice on streamlining preparation, ensuring compliance and capitalising on opportunities.