With just under a month to go until the GDPR deadline (25th May) businesses are scrambling to get themselves compliant with a regulation which is fundamentally going to impact the way we all handle data for a long time. In the latest episode of Comms Business Live we spoke to a group of market experts to find out if it’s too late to make the GDPR journey!
Itret Latif, Interim CEO of FCS
“The hardest part may be for the larger organisation where you have to review all your agreements. People need to be aware that where you hand data off the data it is now captured in that respect and you need to back that off in your data agreements. You need to make sure you have someone writing the right paragraphs for you in those agreements.
We should also be aware of the Privacy and Electronic Communication Legislation which comes from my area which is the telecoms side. There is a focus on privacy element there too. That law hasn’t changed yet but it will be coming soon, it’s a good law in the first instance but it is going to be updated. Those two articles are going to fundamentally control how we look after data.”
TOP TIP: You may want to carry out a data protection assessment of your business
Ellie Allseybrook, Head of Business Growth at Inform Billing
“We have been talking about this subject for over a year now and we have been looking to the ICO for guidance but ultimately it is a European directive, the ICO are regulating it so actually they need to look at how they are interpreting some of the rules a regulations in there and then regulate it.
For your customers, you have to fulfil a contract to them. You are able to communicate with them as part of fulfilling that contract. When you talk about prospects, if you are responding to someone that has made an enquiry then again you are fulfilling a contract by responding to that request. It doesn’t have to be contract that is signed or in writing. Also there is legitimate interests, if it’s marketing a product or service which is related to something you already offer an existing customer then you can process data under legitimate interest, there extra things we need to talk about around that. In a B2B context it depends how you get your data and get your prospects. If you go to an event like Channel Live and meet lots of people there and have lots of useful conversations and people give you their data, you agree next steps of contact, it’s legitimate then to put them into your database and market to them. As long as you go through the processes with legitimate interest you don’t need to take a form with you and get prospects to tick ay boxes to say its ok. It’s a little bit of common sense.”
TOP TIP: Look at the ICO website for updates, make sure you understand ‘legitimate interest’
Danielle Price, Head of Sales at Wisdom (Part of the Daisy Group)
“Daisy have seen GDPR as a boardroom issue rather than one specific sector so we have really pooled our resources from different areas such as legal, compliance and IT. Daisy has grown by acquisition, and quite rapidly, which has come with its own challenges, so my team has helped search different areas of the business to see where the data is held. Once we had done that we were then able to cleanse the data and amalgamate it and get rid of some of the duplication we had. I think there was up to 16 versions of one document held at one point! We have then imported it into Wisdom which is our document management system to ensure our ongoing compliance.
We started our journey back in April 2016 but now technology is such a fast paced environment the ICO has to keep issuing more guidance. That guidance is getting better and better for us but until you put that guidance into practise I think that’s when you start to find what really works and doesn’t work for you.”
TOP TIP: If you are large business make sure you get board room buy-in for GDPR costs
Dennis Scott, Managing Partner at Metanoia
“We talk to all sectors, we’ve had a lot of professional services companies like accountants and solicitors, charties etc, and they all understand they need to be compliant but they need to understand the process. Part of that is to do with the technology but two other important parts which are often forgotten or ignored are the process side of it, including putting in place the policies, and also the people side. Without the training, education and awareness, that is probably one of the biggest downfalls of most organisations. If they put in place the right process with the necessary controls they shouldn’t have anything to worry about.
If you are talking about small businesses and sole traders you can have most things in place within a few days, normally we start by doing a full risk assessment. We would go into a business and look at the physical security thy have, at the IT security and then we would look at the processes they have in place. We would then help them by putting in policies and fill in those gaps. After that is done you need to train the staff, anyone that has access to personal data within the business needs to be included in the training, it isn’t just for the management. Not only do you train them you have to test them to make sure the information has been taken on board. We go in with a written multiple choice test and staff have to get 80% to pass.”
TOP TIP: Ensure all staff handling data are trained properly.