Navigate the “Bumps in the Road” on your journey towards GDPR compliance

Chief Commercial Officer, J Cromack, reflects on his recent panel session at the GDPR:Summit

On the 30th January, I had the pleasure of addressing a room of delegates at the GDPR:Summit in London, alongside other like-minded advocates of strong data governance – Neira Jones, Sue MacLure, Robert Wassall and Tim Hunt.

The discussions around the room, were, quite rightly, centred on the impending General Data Protection Regulation (GDPR) and how it impacts business as usual. For me, there appears to be a lot of talk around the actual regulation, probably a bit too much – when the focus should be on getting it into practice.

The crux of the matter is that organisations need to place their customers, supporters, members, donors, patients, employees or whatever you call them (we say the citizen at MyLife Digital), at the heart of their data and GDPR strategy.

Simply remembering that the personal data citizens entrust to you actually belongs to them – you are a temporary custodian of this information whilst they remain a value exchange with you. The value exchange being the benefit both parties gain during the period of time you interact. Whether this is for products, services or employment, once the transaction or contact is complete, under GDPR the personal data must be deleted or anonymised after a certain time period (which you must determine based on your usage of the data and what is right by the citizen), as set out in your Privacy Policy.

So, this brings us to the points I continually make, that organisations need to be accountable for the personal data they process. They must be transparent about what they collect, store, how they plan to use it and, where applicable, empower the citizen to control their own data. I see this as shared accountability between the Data Controller and the Citizen.

To enable this across the entire business a single source of data permission must be established. It’s no good having multiple silos of data spread across laptops, departments, servers, CRMs, regions or countries. This way madness lies.

Personal Data Permission portals that sit above all data sources and processes and, are available at all data touchpoints to Citizens and authorised operators within an organisation, can provide transparency of data usage and the current status granted to use the Personal Data. Plus providing an audit trail and record of privacy notices and other information presented to the Citizen at the time the data was collected.

What’s also needed is a solution that doesn’t solely focus on consent and marketing preferences but digs deeper to account for the six lawful bases for data processing – Consent, Contract, Legal Obligation, Vital Interests, Public Task or Legitimate Interest. And captures the 5W’s:

  1. What personal data is being processed?
  2. Why is the personal data being processed, the purpose and the legal bases for processing the data?
  3. Who/Which organisation or department can process that data for the given purpose(s)?
  4. Where (and how) was the relevant permission captured from the citizen?
  5. When was the relevant permission captured from the citizen – and for how long?

At MyLife Digital we have been developing our Consentric Platform since January 2015, long before the GDPR bandwagon was being ridden, which provides all this and more. Consentric Permissions delivers strong data governance of Personal Data through transparency, accountability and empowerment. Because we set out to give the citizen back control of the way organisations process their data, it underpins the Rights of the Data Subject defined in the DPA and the GDPR.

With the marketing world looking to use Legitimate Interest as the way forward to justify processing personal data and therefore no need for consent, remember three things:

Firstly, you have to be able to demonstrate you have informed the citizen of your legitimate interest and undertaken the Balance Test. Secondly, give them the right to object to the processing activity, which has to be easily given and preferably via an online tool and thirdly, PECR and soon the ePR, still require consent, which needs to be recorded by purpose for electronic communications.

With just over four months to go until enforcement date, now is most definitely the time to be making progress in your journey to adopt a citizen centric data strategy. By doing so mutual trust will be strengthened and deeper engagement will develop. Hopefully this will result in increased loyalty, reduced churn, brand reputation and heightened customer satisfaction.

So, avoid those data silo potholes, iron out the processing justification bumps and it will be smooth running towards best practice.