GDPR: The Voice of Reason

Anyone who is involved with GDPR will know that there are always complexities and dilemmas, and these are often not simple and not quick to fix. The important thing is to start, to address the things you can, and to create a plan for dealing with the difficulties as well.

Here are some examples of how we’ve been working with clients, to illustrate the realities — warts and all!

For many of ours clients internal communications has been a major piece of work. Everyone is busy and this can feel like just another problem so ensuring that people buy-in to the issue is critical. This is partly about understanding the potential fines and reputational damage to the business, but you can also help people to relate to the importance of this by talking to them about how they themselves would want their own data to be looked after.

A common theme is making sure people understand what is caught by GDPR and organising discussions around what amounts to personal data. The best way to reduce your problem is to minimise the personal data you collect in the first place – do you really need the data you’re currently collecting? Many companies collect special data about their employees (GDPR defines special data which is particularly sensitive) they don’t really need, or they are not very good at deleting it even when employees leave.

For many companies, the focus is on marketing. For example, our clients in professional services often have lists of business email addresses that they have built up over years. In many cases these databases are not well maintained and they don’t have routines for cleaning and pruning — they just keep on adding to them! Some companies have embarked on a programme to get consent for continued marketing, some are using legitimate interest justifications (as we are).

Manufacturers and supply chain businesses often have lots of supplier data, whereas facilities management, care home or construction companies may have large numbers of staff, some casual or freelance. They may have lots of details about them that they have historically managed quite ‘loosely’. At the extreme end, we have modelling agencies with large volumes of images and videos as well as passport and visa details.

Many companies need to overhaul some technical aspects of their IT, including things like encryption, password handling, patching and firewall configuration. As well as backup and disaster recovery plans. And of course being clear on where internal responsibility lies for ongoing maintenance of this.

In almost all cases, contracts have needed some improvements to ensure everyone is clear on their duties. This includes suppliers, staff and partners as well as cookie policies, privacy notices and information security standards.

And most companies have no existing plans for dealing with a breach or request from someone to provide or correct or delete their data. As well as creating policies and plans for this, there is a cultural change to focus on honesty and learning, rather than silence and cover-up.

But whenever we can, our aim is to find a business opportunity. For example, in many cases this is an opportunity to engage with the old sales prospects.

Analysing what data you have, how it moves around the business and why is critical to GDPR compliance but it’s also a starting point for improvements. There are always opportunities for greater efficiency, and reduction in errors as well as serving customers better.

In many cases we are able to use GDPR discussions as a spring-board for serious consideration of radical improvements to processes and systems. Bringing data under control not only positions you for GDPR compliance, it’s also the starting point for integrated and streamlined business. And it’s a solid platform for digital initiatives as well.


You might find our previously published articles also of interest :

GDPR: A simple guide for CEOs (and what to do right now)

GDPR Action Plan: 6 months to go