Data is fundamental for organizations as many are opting for innovative business models and data-driven approaches. While consumers are willing to share their personal data, transparency concerning the handling of this data and its protection is becoming increasingly important to them.
With the speed at which technology is advancing, it’s therefore vital that on the one hand the appropriate legislative framework is developed and on the other hand that companies take all the necessary measures to ensure the appropriate handling of data.
With the introduction of the General Data Protection Regulation (GDPR) the European Union is harmonizing the legislation for the processing of personal data across the EU and putting the customer at the center of it.
As of 25 May 2018 all organizations operating in the EU will have to be in compliance with the GDPR; which can be a challenging task to undertake. Our team of Data Privacy & Protection Services experts has developed a 5-step approach to help you achieve this goal.
1) Define your Privacy Strategy
Defining your privacy strategy is the first step. Without it, you can’t have a consistent and coherent approach. The strategy must be defined and articulated and endorsed by senior leadership. You need to get it on the agenda fast.
2) Where are you now?
In order to establish the size of the task ahead and the specific areas that need to be addressed, you need to understand your organization’s current maturity. This is not a tick-box exercise but a pragmatic, focused process to really understand the GDPR privacy risk exposures that exist across your business. You will also need to consider what aspects of the GDPR, and privacy in general, are the key drivers for your organization. What matters most?
3) Take a pragmatic approach
You need to build a realistic plan which will help you manage your risk to an appropriate level, in line with your overall business strategy. This does not necessarily mean taking a leading position in every single respect — but a clear view of what success looks like for you. Where do you want to start?
4) Co-ordinate and deliver
Focusing on areas of greatest risk, you need to ensure that controls are embedded as part of your day-to-day business operations. This will require coordination across the business. Make sure you have the right blend of input from legal, IT, HR and marketing and enough resources. Don’t underestimate the level of effort that will be required — personal information is everywhere in your organization.
5) Embed into business as usual
Complying with the GDPR is about defining, implementing and then sustaining compliant processes. As of 25 May 2018 you will be required to demonstrate, on an ongoing basis, how you collect, use, retain, disclose and destroy personal information in line with the GDPR requirements. This impacts everything you do relating to personal information and is; therefore, a significant transformational activity for your organization going forward. In short, the GDPR has to become “business as usual” within your organization. It’s about embedding the GDPR’s accountability principle.
Our Privacy Services have been designed with the understanding that organizations need tailored risk-based solutions to address their individual privacy needs, risk appetite and future business strategy. Its modular and layered structure enables targeted and tailored solutions to be defined, assessed, designed, implemented and monitored consistently, guiding you through the complexity of privacy and complex global organizations. Our core services are:
How can you turn GDPR into an advantage? It starts with recognizing that data is one of your organization’s most valuable assets. From this, every business process using personal data will be seen as an opportunity. An opportunity to gain a better understanding of customers and the performance of your organization and broader marketplace — by gathering and refining personal data.
Managing this requires a careful strategy to ensure that it’s reliable and that customers understand what you are doing with their personal data and where required that you have gained their consent. This will ensure the insights it delivers are actionable, and reduces the risk that organizations won’t be perceived as intrusive as customers see more tailored products, pricing or services.