Say "General Data Protection Regulation (GDPR)" to many business owners and you're likely to be met with a blank stare. For many, the regulation, thought up in the distant rooms of the European Parliament, and not enforced until May 2018, is not a current-day problem. Except it is, because once you take into account all the different requirements businesses will have to adhere to under GDPR, the amount of work that will need to be done to get up to speed and the hefty €20million fine, it becomes a very big problem for everyone.
Furthermore, any business hoping that Brexit will provide us with a get-out-of-GDPR-card will be sorely disappointed. GDPR affects any business that handles the personal data of EU citizens. So if you want to do business with Europe, you're going to have to comply with GDPR.
GDPR is an expansive law, taking into account our modern day use of consumer data and the value behind it. GDPR affects all aspects of how businesses collect, store and use data including informed consent, data portability and data use.
Like any big task, it's common sense to break becoming GDPR compliant into smaller steps. This allows you to focus your resources on one aspect and get it up to the level required by GDPR before moving onto the next. That said, you do need to allow yourself enough time to cover all the different parts of GDPR before the May 2018 deadline hits.
First of all, it's a good idea to assess your data's current state of play. Undertaking an audit of your data will help you understand where your data is located, what format it is in and how you are using it. It will also tell you what actions you'll need to take to become GDPR compliant. Knowing this, you'll then be able to plan out what you need to do, when and what resources you need.
Many businesses hold onto a lot of data, but much of this is spread across an organisation in departmental silos. Consolidating all of this data in one central point - a data lake - will save you a great deal of time in the long run when dealing with consent, data protection and data portability under GDPR. It makes more sense to protect one central reserve than be spread too thin trying to protect and manage many.
Once you've got your data in one place, you can look at whether it is in a structured and commonly used format, as required under GDPR. This means that a customer can come to you and request to move their data to another company, perhaps a competitor, and you'll have to comply.
This highlights how GDPR will shift our current relationship with consumer data. Businesses will no longer be able to claim ownership of customer data, instead they will be custodians of it. Ownership of personal data will lie solely with consumers.
Which leads nicely to the final hurdle for businesses to clear: consent. As businesses will merely be custodians of personal data, consumers will have to give their consent for each and every time a business wishes to use their data. To make this more manageable, consider setting up a consent hub - a single location where an individual can log in and fill in their consent for different activities.
Consent is likely to be a hot topic for many businesses dealing with GDPR. Without it, your marketing and sales functions are likely to fall apart. It's essential you give yourself enough time to contact your customers to ask for their consent. Many people will need a few prompts before they take action, so planning a complete marketing strategy involving email, social media and other relevant channels is a good move.
There is a lot of legwork to be done by every business to become GDPR compliant and the preparations have to begin now. If you don't know where to even begin in become compliant, it's worth getting an expert in to help guide the way and carry out many of the activities listed above. You may feel like May 2018 is a long way away, but you'll be hard pushed to become GDPR compliant by the deadline if you don't start now.