WIth GDPR finally here. companies still face numerous challenges but can also profit from taking up opportunities created by the new regulation. [shutterstock: 44960825, Zolnierek]
The deadline has finally run out: The General Data Protection Regulation (GDPR) has come into force on May 25th and replaces the EU Data Protection Directive 95/46/EC and all data protection legislation in EU member states. However, it will affect every organisation that uses or handles personal data of EU citizens.
Many companies are stunned by the multitude of extensive changes and strict obligations they are facing. Oliver Hach, an MDM expert at parsionate, one of the leading consulting firms for MDM/PIM in Europe, knows exactly how businesses can successfully implement the GDPR and, at the same time, benefit from it.
Mr Hach, GDPR has just come into effect, but there are still some companies that struggle to get to grips with how to make sure their own practices comply with the regulation. Why?
The GDPR has wide-ranging implications for the way organisations process and handle personal data. Compliance with this regulation usually entails taking extensive technical and organisational measures and carrying out significant structural changes in companies. This is no easy feat and involves a great deal of effort. Therefore, it’s no wonder that many companies don’t really know how and where to start.
So what are the first steps towards compliance with the new directives?
First of all, businesses should get to know and understand the new legal framework and understand how each aspect of the GDPR applies to them. Data is the key to a company’s success and to staying competitive in the market. At parsionate, we assist businesses in developing and establishing a suitable and future-oriented data strategy. One of the advantages of this approach, which we support with our proven consulting methodology, is that businesses will gain more visibility and achieve greater transparency about their customers’ data.
“Data is the key to a company’s success and to staying competitive in the market.”
Why is a 360-degree view of your customers so important for the GDPR?
In most companies, personal data, e.g. about customers, suppliers or employees, is stored and maintained in different systems, applications and databases. Quite often, even in places where you wouldn’t expect them at all. The GDPR requires businesses to maintain detailed and adequate documentation of all systems and processes used to store and handle data. A company must be able to identify, evaluate and securely store all data and information about its customers. It must know where (in what system) the data is being held and for which purpose it is used – and whether there are any gaps. To this end, parsionate offers specific “health checks”, which help improve the transparency. Thus, businesses can assess their level of compliance with the upcoming regulation, identify open issues and gain an overview of the required steps.
Could you please explain the Health Check in more detail?
parsionate’s GDPR Health Check is a workshop-based process designed to ascertain whether a company meets the strict requirements of GDPR across all departments and to assess and document the current GDPR compliance status. Through a structured approach, we analyse business processes and document all relevant systems, databases and applications. Every system or device that stores or processes personal data will be evaluated to verify compliance with the GDPR. Thus, we identify relevant data and systems, create a compliance report and interpret the results. Of course, we also offer support to take the necessary measures.
“Many companies think that adding a tick box to their CRM system will suffice. It doesn’t (…)”
As the name suggests, data protection is a key element of the GDPR. Which safety measures does a company need for its data?
Personal data requires special protection. Consent Management is a core aspect of the regulation: businesses need to obtain the explicit consent of individuals before storing or processing their data. Many companies think that adding a tick box to their CRM system will suffice. It doesn’t; companies must be able to provide, upon request, information about how personal data is used. They must also be able to prove, at any time, that they have effective data protection mechanisms in place, that suitable processes to obtain explicit consent from the data owners have been implemented, that data owners have the means to modify or withdraw their consent and that personal data is anonymised or pseudonymised before being used for other purposes or archived.
Who is responsible for data protection and its implementation?
Assigning responsibility for data protection is one of the first and foremost tasks to ensure compliance with the GDPR. We recommend hiring a dedicated (possibly external) Data Protection Officer (DPO) who works with an explicitly appointed Chief Data Officer. The Data Protection Officer is responsible for overseeing the data protection strategy and its implementation to ensure compliance with GDPR requirements and is the point of contact in case of violation of the regulation. By default, if no DPO is appointed, the managing director shall be personally responsible and liable. As part of our Health Check, we will determine who, within the company, is responsible for which data, processes and applications that store and use personal data. The” parsionate Compliance Report” will document the current compliance status of the company’s data management processes with the GDPR, thus meeting the requirement of “accountability” set out by the GDPR.
“The GDPR offers the opportunity to streamline inefficient processes in data management.”
How quickly should a company be able to respond to a request for rectification or a data subject’s enquiry?
Under the GDPR, businesses have an obligation to respond to a data subject’s request for information without undue delay. They also need to make sure that they can react within 72 hours after having become aware of any data breach, for example in the event of data theft. If our methodology has been implemented, questions about the use, storage and modification of personal data can be answered and processed with little effort.
How can a company benefit from an analytical overview of its structures and systems, such as the one offered by parsionate’s Health Check?
The GDPR offers the opportunity to streamline inefficient processes in data management. Thus, for example, businesses will be able to save time and costs by not having to maintain and manage duplicate, incorrect and redundant data records, and by not having to rely on inaccurate data for their marketing campaigns. At parsionate, we are convinced that the GDPR may also be seen as an opportunity to get a reliable and accurate overview not only of your customers’ data but also of other associated data, thus paving the way for an effective master data management.
But let’s focus on the customers: Consistent data management processes and a central, reliable and complete repository for all business entities will reduce costs and improve transparency. The integrated data silos can be combined with data from social media and thus offer a much more comprehensive overview of customers and their behaviour in a digital environment.Thus, companies will have the opportunity to gear their strategy towards their target market and leverage one-to-one marketing efforts. The entire company experiences a new and deeper understanding of how data should be handled. “Data is the new gold” – With this new awareness, companies can unlock the treasure trove and benefit from it. It’s a big step forward in the process of digitalisation!