5 things to do now for GDPR compliance

null

May 25 is upon us, marking the first day of enforcement of the GDPR. The measure is aimed at protecting the data of EU residents wherever they go online, so companies all over the globe need to be prepared. The regulation carries a hefty fine for non-compliance: The greater of €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise. This thing is big, and it has teeth.

In the time since the regulation was adopted in April 2016 and now, negative sentiment has morphed into Y2K like fears about what will happen on May 26. Will there be an avalanche of consumer complaints that companies have to deal with? Will supervisory authorities begin aggressively prosecuting violations? Will they go after companies both large and small? How deep will auditors dig? How will grey areas of the regulation be interpreted? These are just a few of the unknowns that are driving these fears.

I heard one product manager refer to GDPR as the “Great Destroyer of Product Roadmaps.” He was only half joking. His organization, like many others, had to change a lot of the work they were doing just to comply. Compared to something sexy like working on a new product launch, GDPR compliance is like eating your vegetables. But, like eating your vegetables, it could be good for you. 

The trick right now is to lay the basic groundwork for compliance, without burdening your users with a whole bunch of opt-ins and notification about new terms of service or burdening yourself with self-imposed restrictions that turn out to be unnecessary. Done right, this is really an opportunity to prepare your business for a world in which data is a mission-critical asset, and data protection is a driver of consumer trust. Here are five things every company should do right now: 

1. Do a data audit and document your findings 

Up until now, most businesses have operated by collecting as much data as they can, figuring they’ll making sense of it later. Under the GDPR, businesses are only allowed to collect data they need for specific purposes. Your audit should catalog what data you’re collecting, where it lives, how long you retain it, who has access to it, and what you’re using it for. In a world in which data breaches have become routine, this is a good exercise in corporate data hygiene, and transparency, that has value in and of itself. 

2. Put a policy in place 

A lot of companies already have privacy policies in place, so this could be as simple as updating them to incorporate your general company stance on GDPR. I’ve been studying the updates to terms of service from the big tech players and what I’ve seen so far is most of the updates have been lawyered to be very broad: Staking a claim to data they have the right to collect; acknowledging a user’s right to their data, and the right to be forgotten. People are giving themselves wiggle room to see what will actually be required of them. If you have the luxury of legal help, work with them to get their thoughts. 

3. Describe how you will operationalize your policy 

How will you let people know what you’re doing with their data? Are you going to push out notifications, do opt ins, or just put a link on your site where they can learn more? If a customer requested their data, what procedures would you follow? The last thing you want to do is send the data to the wrong person, so you’ll need some way to verify the requestor's identity.

Your policy, and your organizational culture, will drive how you operationalize this, but again, I don’t think you have to have all the details such as which structured, machine readable format you’ll use to deliver the data, what channel you’ll use, or how fast you’ll do it, ironed out just yet.

If regulators come calling, having policies and operational procedures written down, even if they’re not perfect, at least leads to a conversation where you can ask them for help as how to buttress your existing efforts. That’s a much better conversation than the one that starts out with, “You haven’t done anything. This is really bad.” 

4. Learn from your peers 

Whatever industry you’re in, there are probably interest groups, trade publications and conferences that are trying to educate their constituents on the GDPR in general, and how it specifically applies to their industry. Find those venues for your industry. See what your peers are doing, and what resources they’re finding helpful. 

5. Follow the conversation and learn a little bit at a time 

Create a Google alert, bookmark articles, and set aside a little time each week to familiarize yourself with different aspects of the regulation, enforcement developments and even just the vocabulary. For example, what does it mean to be a data processor vs. a data collector? There’s an overwhelming amount of information, more than most of us need to know. I think a good goal is to build enough knowledge to be conversational and have a general sense of how this is unfolding so you’re not blindsided. 

Data privacy is a key issue of the 21st century, and there is no doubt that the GDPR is a landmark regulation, but just as with Y2K, the sun will come up in the morning on May 26 and not much will have changed. It’s going to be a long time before we know how all this will play out, and there’s no GDPR certification, or Six Sigma process you can follow to help you get it right. If I were a betting man I’d bet on it taking a fair amount of time for things to work their way through the bureaucracy and precedents to be set. Enforcement resources are not unlimited, so it would make sense for regulators to focus on the big players as a way to set those precedents, and then the rest of us can follow suit. 

Every company has to make an investment in GDPR compliance now, and it’s likely more investment will be required down the road when we have more clarity. It’s a worthwhile effort, because customer data privacy is something no organization can afford to ignore, and that is really what you should focus on as your North Star. Customers love the personalized experience that data makes possible, and they also want to know that you’re keeping their data secure. If you’re already working to achieve that balance, you’re moving in the right direction. If you can crack the code on providing a delightful customer experience, while also keeping the data safe and letting customers know they can trust you, the “D” in GDPR could stand for “Differentiator.” 

Jeff Sakasegawa, Trust and Safety Architect at Sift Science 

Image Credit: Docstockmedia / Shutterstock