Type GDPR in any search engine and you get a plethora of suppliers offering a tech solution or some training program that will equip you with everything you need to know to get ready. The problem is that these solutions list what to do, but they fall short of telling you HOW to develop your readiness plan based on YOUR business needs, current practices and future strategy.
So are businesses ready for GDPR? According to a new study by W8 Data, the UK is doing very well, with only 29% of British organisations either don’t know about or feel totally unprepared for GDPR. This is not the same in Germany (only 52% of firms feel ready for GDPR), Spain (73% of firms would not be ready for the new regulation), Sweden (71% of firms would not be ready for the new regulation), and other European countries (falling somewhere in between).
How are UK firms preparing? Some are forming task forces focused on auditing current data practices and operations, assessing the impact of the new laws on how they process personal data, going through a risk-benefit analysis, and making decisions on how to change their processes accordingly.
Here are examples of what some organisations are doing to get ready for GDPR:
Wetherspoons: Back in June last year, the popular pub chain took the decision to delete their entire email database, and informed their customers that they will stop using email for promotional purposes, as many find it intrusive. Prior to that, Wetherspoons had suffered a breach of their customer database back in 2015. Having conducted a risk-benefit analysis for holding email addresses, they deemed it better to stop all email marketing. Instead of a push strategy, Wetherspoons switched to a pull strategy, inviting their customers to get the latest deals via their website or on social media.
The Hummingbird Bakery: Earlier this month, the popular Hummingbird Bakery contacted their email database to inform them that they are launching a new website, and that to be able to use it and continue to place orders online, customers needed to activate their accounts on the new platform. As part of the account activation process, customers are also offered to option to sign up to the newsletter (as a separate opt-in). This could be considered a low-risk approach to confirming customer details for a legitimate business interest (i.e. allowing customers to continue to make purchases on the new online platform).
On the B2B side, organisations are also preparing for GDPR and one that stood out for me is Zoho: they are a global software provider based in the US, developing various applications to support business processes from sales and marketing, to finance, accounting and beyond. They hold a lot of data on their customers, and their customers’ operational databases, which means that GDPR compliance is a key requirement, and one that their customers all ask about. As part of their GDPR readiness program, they have published a dedicated section on their website educating their audience on what they are doing internally to be compliant, and providing links to tools and other education platforms that customers can reference.
While there is no one-size-fits-all approach to prepare for GDPR, it is important to understand that this is a business critical activity that requires commitment from the top and the allocation of resources to help turn it into an opportunity. Some key starting points are:
- Establishing a committed task force to ensure full coverage across all areas that may handle personal data is the first step.
- The task force should bring together stakeholders from across the business (IT, marketing, finance, HR, customer service, etc…) and they extend to legal counsel (in-house or external), tech providers of platforms where personal data may be stored, and other business partners (e.g. payroll providers).
- A thorough risk/benefit analysis based on business objectives and strategy will help inform what measures to take now to mitigate risk, ensure compliance, and build customer trust.
- It’s essential to always seek legal counsel or advice from GDPR practitioners.
And this is an on-going activity: we expect the regulation to be updated frequently, as disruptive technologies become mainstream and more of our personal data is handled by various parties. As the regulation is updated, business practices will have to be reviewed to ensure we mitigate the risk and continue to be compliant.
January 29, 2018 by Adele Ghantous