Presenting to the board of directors is an opportunity for CIOs to shine. Waters Corporation CIO Brook Colangelo shares best practices to help you succeed.
GDPR prep: Get ahead of data compliance rules
One benefit of preparing for the upcoming GDPR data privacy regulations: You can boost customer service at the same time
Businesses with European customers have a new line item in their budgets for 2018: The General Data Protection Regulation (GDPR). Passed in 2016, GDPR gives a significant boost to data protection requirements around customer information for EU citizens. Regardless of physical location, businesses serving customers in this region need to be prepared for changes to how they store, process, and interact with data.
[ See our related article, How to avoid a GDPR compliance audit: Best practices. ]
While it may seem like a lot to unpack ahead of the GDPR implementation on May 25, 2018, IT and business leaders should start taking proactive steps to provide their internal departments with the background and tools necessary to satisfy these requirements. Here are a few things to consider:
Know your (customer’s) rights
The purpose of GDPR is to fundamentally provide a greater level of visibility into how customer data is managed and used. GDPR makes this manifest in a dual-pronged directive: First, by bolstering customers' rights to information about their data; and second, by raising the bar for organizations when it comes to transparency, monitoring, and customer response.
Among customers’ new privileges are rights to access (inquiring about the use of their data); rights to erasure (requesting their information be scrubbed from customer databases); and rights to portability (using their personal data for their own purposes or transferring it from one IT environment to another).
Businesses must also alert customers to data breaches and/or phishing attacks when the security of their data is potentially at risk. Additionally, GDPR goes to great lengths to ensure consent around data permissions is unambiguous, and the withdrawal of said consent is easily accessible for the data subject.
Does this seem like a lot to handle? Keep reading.
Centralize, standardize, automate
While the wave of new data privacy rights may seem daunting, the next six months present a valuable opportunity for business and IT leaders to develop and implement defined, repeatable processes to field customer requests and stay compliant within GDPR regulations.
Establishing standard operating procedures (SOPs) enables organizations to reap a variety of internal benefits – the first being improved customer service. With a standardized action plan for situations like customer data requests or audit responses, businesses can be proactive, ensuring any data subject inquiries are handled consistently and successfully every single time. Furthermore, the implementation of these policies helps employees increase response time through a standardized process.
The most forward-thinking organizations will delve deeper into the process, identifying which parts can be automated, helping mitigate errors, and concurrently freeing up employees to focus on the manual or higher-level tasks of these inquiries. Approaching GDPR from this angle works for SMBs and enterprises alike – be it a three-person service provider or a Fortune 100 enterprise.
New regulations, new faces: DPOs and DPAs
Not only does GDPR introduce new rights for customers, but it also very likely requires organizations to bring in other individuals to help prepare and execute the initiatives laid out above. Internally, data protection officers (DPOs) offer much-needed leadership on the journey towards compliance. Depending on the scale of data processing and monitoring organizations perform, some may be required to appoint a DPO to oversee compliance efforts such as the processes above and serve as the liaison to officials when necessary.
Not every company will need to appoint a DPO. That said, many businesses may see benefits in nominating an individual from within – a “GDPR advisor” of sorts – to help coordinate compliance efforts.
On the other side of the coin, data protection authorities (DPAs) are government officials charged with the enforcement and official guidance of GDPR. Consider establishing an early rapport with local DPAs, as well as external legal counsel, to glean what current data protection laws are in place and ensure complete GDPR compliance.
Benefits: Better transparency and accountability
When it comes down to it, meeting the high standard set by GDPR is simply good for business. By introducing these processes, organizations increase transparency and accountability for the information they manage. These are practices that should already be in place but may not be standardized across departments.
GDPR-ready businesses will not only avoid crippling fines that accompany non-compliance, but also gain greater visibility into where data is kept within their organization. The downstream effects of this visibility come in the form of increased efficiency, security, and cost savings – all of which benefit a company's bottom line.
Systematically approaching GDPR with this knowledge is the best way to set any organization on the path to success. So get ahead of the data compliance curve – and enable a smoother transition for you, your employees, and your customers.