We’re now less than three months away from the EU’s General Data Protection Regulation (GDPR) coming into force. There is plenty of information available via the ICO, consultancies and law firms on what the regulation means and covers, however, practical advice on the steps you can take as a small or medium sized business to get ready are harder to come by.
The truth is, there is a lot you can do without the support of expensive consultants. Similarly, there are steps you can take, especially related to managing data, that will ease the implementation of any GDPR technical solution you choose to implement.
If you’re already rubbing your temples and muttering to yourself that ‘it’s too late’, think again. With the right plan GDPR compliance can be achieved in a matter of weeks. We know this because we have helped numerous SMEs become completely compliant from a standing start.
This experience has given us insights into common problems related to the management and use of data which, by undertaking the following steps, can be easily overcome:
Map the location of all your data
Most businesses will have a CRM system that stores the majority of the information they hold on their customers. However, there will inevitably be a range of other data stores dotted throughout your business. It could be as straightforward as a spreadsheet on your sales manager’s laptop or some long forgotten marketing database put together when you were just starting up.
First, identify all of your known data stores. Then, list all your customer touch points where data could be exchanged. Finally, ask your staff to check what customer data they hold on their devices or, and this can easily be forgotten, within their email inbox.
Consolidate your data
After identifying all the data you hold, the next step is to get it all into the same format and place. Usually, you will be able to input any new information into your main CRM or sales system. For smaller businesses, a Google Sheet could be the best approach. Unfortunately, this step can be very time consuming and tedious.
Just remember the benefits you will accrue and money you will save from doing it properly make it well worthwhile.
Be ruthless with your data
One of the goals of GDPR is to make organisations more discerning about the data they collect. Essentially, moving from collecting information for its own sake, to targeting only the information that is needed. A similar approach should be taken with the data you currently have.
Either in conjunction with consolidation or after your data is only in one place, purge any information you don’t need now and are unlikely to need in the future. The less data you hold, the lower your risk. Delete all copies of the same information that exists outside of your new main store.
Identify your technology gaps
It should now be clear whether the technology you currently have is fit for purpose. If you find that the systems you have in place make the above steps impossible or inordinately time consuming, it’s a red flag that your data management infrastructure needs an overhaul.
You should also ask yourself whether what you currently have can scale or is it flexible enough to adapt to a new strategy or product offering. Finally, can you comply with GDPR responsibilities such as immediately porting personal data to customers or completely deleting it under the ‘right to be forgotten’? It is at this stage that you’re ready to approach consultancies or technical solutions with a brief on exactly what you need.
Enforce data governance procedures
The above will be pointless unless you make sure your staff understand and follow strict data governance procedures. Restricting who can access, collect, store and manipulated customer information reduces risk. Limiting or banning the copy and storing of data on personal devices or in places other than your main store will also help.
However, the best approach is to fully educate everyone in your organisation on their responsibilities and the fines that could be levelled for breaching GDPR. Reviewing these procedures regularly and ensuring they are adhere will create a company culture that respects personal data and enables long term compliance.
It is important to remember that proper data management is not just about GDPR compliance. There are a number of additional benefits to getting your house in order. It will make marketing and customer service more effective and personalised, insights easier to obtain, allow for straightforward implementation of new business intelligence technology or techniques such as data science, and strategic planning more certain.
Julian Saunders is CEO and founder of PORT.im