Can organisations get any long-term value out of the process of becoming GDPR-compliant?
The short answer: yes. Here’s a framework for how to do it.
Organisations typically see regulatory change as troublesome—something that consumes a huge amount of time and effort, standing as a barrier to their goals and offering little value to the business. And given finite resources (budget and skilled people), they often have no choice but to prioritise regulatory change over discretionary.
That’s how many see the General Data Protection Regulation (GDPR). But there’s an upside to the mandatory compliance: long-term value for your business.
U.K. Information Commission Officer Elizabeth Denham says, “If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance. But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit.”
GDPR brings an opportunity to focus the mind. It nudges you to engage people across different teams, come together to ensure readiness, and manage exposure to any breaches and external threats.
GDPR isn’t just about ensuring that you’re compliant right now. It’s about ensuring that you’re compliant for the future. This requires a holistic approach and a collaborative effort from a multi-disciplinary team.
Working with partners and clients to support their GDPR efforts, we at Slalom have created a comprehensive and sustainable framework to help you navigate the challenges of GDPR compliance. Our framework consists of six dimensions that we believe are key to assuring the long-term success of any GDPR programme.
Here’s an overview of the necessary activities in each of the six dimensions.
1. Legal: Know the regulation inside and out. Leave no room for ambiguity.
Assure organisational alignment and compliance with GDPR legal framework and data protection legislation
- Define and implement best practices in privacy notification and consent
- Ensure that third-party business service agreements comply with GDPR requirements
2. Data governance: Understand the Personally Identifiable Information (PII) landscape. Know where the data is and who’s responsible.
- Assure policies, processes, and controls for capturing, processing, storing, archiving and deleting data
- Create data inventory for PII by identifying where the data is located, how it flows, and who owns it
- Define roles, responsibilities, and operating rhythm required to effectively manage and govern PII
3. Cyber security and data protection: Use privacy-by-design to protect data.
- Assure PII is protected by integrating and implementing incident simulation and penetrative testing of security controls
- Protect PII through systems of compliance with subject access requests and handling procedures
- Establish an incident response security programme, and breach remediation and recommendations
4. Customer interaction procedures: Understand customer touchpoints and fulfill customer rights.
- Assure customer rights are protected and supported through appropriate processes and procedures
- Ensure processes and mechanisms align with GDPR requirements
- Identify exception processes and procedures
5. Change management: Shift mindsets from owning the data to being the custodian of it.
- Assure the organisation is enabled and ready to be GDPR compliant
- Define and implement communication plans and learning strategies to ensure people are aware of the GDPR requirements and how it impacts their role
- Establish a culture where the organisation appreciates the importance of being compliant with GDPR legislation
6. Programme management: Bring it all together by managing scope, timeline, and budget.
- Implement the GDPR framework
- Improve management of project interdependencies and impact on the business as usual
- Ensure scope, timeline, cost, and quality are managed through an efficient programme
Your business doesn’t stay the same from one day to another, nor does your data. To sustain GDPR compliance, you need a comprehensive and sustainable approach reinforced by an innovative technology solution that’s able to perpetually scan the location and the flow of data.
From databases, messaging systems, PDFs, and spreadsheets, to a growing list of digital fingerprints, all types of personal information need to be considered in the path to compliance and beyond. (Note: there’s no such thing as GDPR accreditation; organisations are responsible for ensuring that they’re compliant.)
To Elizabeth’s point, if you get data protection right, you can realise real business benefit. Here are some of the ways that GDPR can help you realise this in a B2C model:
- Enable a single, unified view of customer data by developing a clear picture of your master data and shifting the mindset of employees to be proper stewards of that data through governance
- Improve customer engagement and marketing campaigns underpinned by customer rights and streamlined business processes
- Enhance self-service and analytics capabilities based on de-duplicated, trusted data sources
- Avoid bad PR, build trust, and create a customer-centric reputation by sustaining compliance
GDPR provides a great opportunity to get your house in order—and derive real value from it. That may be easier said than done, but with a holistic approach and the use of a framework like Slalom’s, you can be sure you have all your angles covered.