It’s now been over a month since GDPR came into force. Is your organisation now suffering from GDPR fatigue?
From what I have seen, in many instances the answer is a resounding YES, but why as GDPR is a good thing right…..?
From conversations in recent months and changes in volumes of GDPR traffic on social media, I believe this current state lethargy in this area is stemming from a few reasons. Almost every LinkedIn post & mailshots pre-May 25th was touting the horror story, massive fines, huge volumes of DSAR & information rights requests. We all read them and yes, they were factual these things could have and can still happen. From conversations within industry and experience working with clients, all these stories did for most organisations is set in motion a mass panic and short term project-based approach while many of the identified actions (while done with best intentions) were not correct/unrequired and ill thought out. In addition, the mass of SAR and Information rights requests turned out to be a slight rise. To this point, the most recent ICO fines are dealing with concerns that were an issue pre GDPR i.e. nuisance calls and negligent losses of data.
What went so wrong?
It was very easy to become drawn into the hype with so many articles and mailshots warning of the maximum fines and other potentially crippling penalties for non-compliance. This progressive panic and confusion resulted in companies not having confidence on the route they should take. With our clients one of the main things we are regularly doing is distilling the panic and confusion into targeted, milestone-based plan. GDPR is in place for higher levels of transparency, enhanced data security and good data management being BAU.
People are taking a risk-based approach over fines. The ICO has always been very open in the fact they did not plan to start mass fining on May 25th and those who will be worse affected by the fines at the start are those who do not meet the requirements under the previous Data Protection Act. Make no mistake, the ICO have increased headcount and once they deem it reasonable to do so, we will start seeing more and more fines relating to no legal basis, incorrect consent, poor controls, no record of processing (RoP). At the moment people are happy to accept a risk of a smaller fine while they are en-route to full compliance.
People are lacking the vision to see the opportunity that complying with GDPR will give. GDPR is still being looked upon as a project rather than an opportune time to either start or boost a transformation program, that ends with good data management being embedded into BAU and its benefits firmly placed in every C-suite psyche.
So what now?
Now is the time to move the mindset aware from pure GDPR. It’s about embedding good data management into the organisation for customer as well as other datasets. Good data management starts with knowing what you have, what it is, why you have it and its lifecycle this is what should be embedded within your RoP.
Think organisation efficacy. Processes can remain in an organisation for years, untouched, out of date and with significant rework that people have become blind to. By completing the record of processing, you are looking at that process with fresh eyes. As well as understanding the data transfers, you will be able to identify risks and areas of inefficiency in a process and remedy these. While you need to have the RoP for personal data, this is lineage data and should be collected and valued as a corporate asset for all data types.
Want to upsell/cross sell? If you truly understand your customer and can identify a customer across lines of business, know their preferences, consents and how they like to be contacted, you will be able to effectively manage the information rights process, answer DSAR and have good data for analytics to ensure you market the right products to the right people. Not receiving multiple communications is just one way to help drive customer loyalty.
The journey does not need to be manual. There are many tools in the market place that can assist on Single Customer view, MDM, Auto data discovery. If you do not have the expertise inhouse there are service offerings around resource and technology available. Here at Agile Solutions the DSGS team are specialists in Data Strategy, Governance and Security as well as Agile Methodologies. We have successfully assisted several clients in their GDPR journey. If you are facing challenges in this area or have other data related challenges, contact us to see how we could help you.
GDPR and its requirements can and will assist you in taking your business to the next level if you look beyond hype and treat GDPR as good data management as part of your corporate DNA.