With GDPR now into force, businesses across Europe are making changes to their web forms, terms and conditions, email footers and the like, to ensure they’re compliant with the new regulations.
However, as they go through this process, many organisations are coming across questions that are difficult (if not impossible) to answer. How many of our systems actually contain information about this individual? How can we be absolutely sure we don’t inadvertently contact someone who hasn’t opted in to communications? What are we allowed to do with the data, based on the consent we currently have? Has this data been edited, and if so, by who? And who is officially in charge of this data-handling process?
The spreadsheet and silo problem
The difficulty – or inability – to answer these questions is remarkably common. It generally stems from the way businesses grow.
Spreadsheets and simple databases are often all a fledgling startup needs to handle its data. As the business expands, so does the number and size of these information stores. Specialist systems are often brought in alongside them for specific purposes, such as customer relationship management or email marketing. There may be a merger or acquisition, resulting in multiple applications that do broadly the same thing for different sets of customers (but inevitably hold the data in a slightly different way). While there may be some integration between all these various stores of information, it’s rare for it to be comprehensive.
Consequently, keeping control of what personal data is where, why the business has it, what it can do with it and who’s in charge of it, becomes ever more complex. To manage this, organisations attempt to put in layers of governance. But this is often piecemeal, and as many are finding as they seek to comply with GDPR, it doesn’t give them a good enough handle on their data. They still can’t answer those all-important questions.
Start by understanding your business processes
If your business is to be able to answer these questions effectively and efficiently, you need to step back from thinking about opt-in checkboxes and website privacy statements. Instead, look at the end-to-end business processes that the data is supporting. Once you understand these properly, you can put in place the governance that will make GDPR compliance a breeze.
And before you roll your eyes at the prospect of ‘even more governance’, implementing these measures will actually lead to numerous benefits beyond simply GDPR compliance. Here’s what to do.
For each of your key business processes, map out the process and the data you need to support it. Visualising it in this way will make a number of things easier.
Firstly, it will show you what data you’re collecting. Second, you’ll be able to see where and how that data is being processed and used. This, in turn, will help you answer the question over your lawful basis for processing the data (which GDPR requires).
As well as being enormously illuminating, being able to see and understand your key business processes enables you to put in place effective and holistic information governance. Who’s responsible for the data at each stage of its journey through your organisation? How could data be misused or vulnerable, and hence what security measures are required? How long are you going to keep each piece of information?
Governance that makes you more agile
As we touched on above, many perceive data governance as a millstone that hampers their ability to do their jobs: hoops they must jump through that ultimately slow down the process of getting products and services to market.
But in reality, the thing holding many businesses back is not information governance, but their lack of organisation-wide data oversight. With personal data stored all over the place and little clarity over what they’re allowed to do with it, designing and getting approval for new or updated products and services takes far longer than it should.
Instead, if all your business processes are well-understood and you have the appropriate governance in place, you actually free your product teams to work with much greater agility. They’re able to see exactly what data the company holds, and what they’re allowed to do with it. As a result, they’re able to design the best-possible product or service, without making unnecessary compromises. And when it comes to getting approval to launch – whether that’s internal or from your regulator – you’ll have all the evidence there to demonstrate compliance. Consequently, your pioneering new product or service can potentially be in the hands of your customers far more quickly than it could under your current setup.
Release the shackles
So rather than seeing GDPR compliance as a necessary evil, see it as an opportunity to take the shackles off your business. Free yourself from the constraints of those spreadsheets and siloed systems by taking time to fully understand your processes. Put in place a governance framework that simultaneously gives you the necessary control at the core of your business, while freeing your people to work more effectively.