GDPR: am I doing it right?
The General Data Protection Regulation (GDPR), is the slenderman for any entrepreneur, any business, private school, public hospital, the list goes on. What makes it so scary isn’t just the fines, well not only them, though they are pretty substantial mind you. The true challenge is understanding that we shouldn’t be intimidated by how vague the GDPR is, the law itself is vague for a reason.
This new regulation has become the golden standard for data protection, and the reason that it’s vague, is because it needs to fit a business model from a startup, public hospital, private school, you see where I’m going with this.
This means that the GDPR is different for different businesses and its approach should be unique to your business model and the type of data you manage. There is no one size fits all with the GDPR, it can rapidly turn into a panic-induced shoveling of your own grave. It’s easy to get confused, mostly because the level of complexity with which you protect data is your decision, as long as you comply with the requirements for data protection brought forth by the GDPR, it’s up to you how to meet them.
You can get carried away and design the most complex solutions for the processes which should be low on your priority list, so understanding your priorities and what processes involve sensitive data is key for your data protection strategy to move at a healthy pace. There will always be better ways to protect the data, focus on the requirements now and redesign later.
So, what do you need to build a strong data protection program? A dream team and full transparency.
The Dream Team
Yes, this can be done by one person (with the proper support). Most businesses will need to appoint a Data Protection Officer (DPO) at some point during their organizational development. If this is not yet a requirement for you, it’s smart to start developing someone within your organization to fulfill the role so you won’t have to worry later.
Whoever you appoint needs to understand the business at its core and be familiar with your processes across the organization, even better if they are constantly poking holes at them, this means they are doing their job the right way. A deep understanding of the business model and purpose will make it easier for your DPO to build a compliance strategy that benefits both the business and the data subjects.
Properly resourcing your dream team should follow. GDPR compliance is by no means an easy undertaking. If you are appointing an internal DPO, make sure to provide them with the training, e-learning material and legal consultation they’ll need to properly build your compliance strategy. The DPO role is not required to be fulfilled by a lawyer under the GDPR, but expert knowledge of European privacy laws, your business model and data protection strategies sure are.
Transparency
Honesty is the best policy, under the GDPR it’s the required one. From the moment you are collecting data from whoever your data subjects are, you need to be honest. Provide them with clear visual cues of where your data privacy resources are located (privacy policy, data subject request process, cookie policy, etc.). These resources are paramount to the GDPR since they represent your main line of education for your clients.
You need to clearly disclose which data you’re collecting, for what purpose, and how long you’ll be storing it. Internally, you need to define the lawful basis for you to process that data: are you processing data based on consent, contractual obligation or legitimate interest?
There are several more reasons protected by law with which you can argue the reasoning of why you process the data you collect, but they need to be transparent and hold up to scrutiny. So being as honest as you possibly can is your best bet for having an iron-clad frontline for your data protection strategy.
When you ensure your clients are fully aware of what happens to their data once it enters the business, you are clearly educating them about what they are consenting their data to be put through. Consent should be the lawful basis for most processes, and collecting it adequately can make or break your data protection strategy.
There are several businesses that have taken this approach seriously, like Paypal, who as part of the privacy policy they include a list of over 600 third-party vendors who process client data on their behalf. Being too transparent can be a risk, but in our current climate, it’s the best way you have to show probable clients how serious you are about your data protection program.
WIIFM
The GDPR has brought forth a new way for businesses to strategize, to innovate and make privacy part of the services they provide to their clients and other organizations who process data on their behalf. As it stands, the GDPR will become somewhat of an adopted standard with many countries already set on following suit with the innovative regulation.
Understanding the imperative changes coming to data protection is key to develop your organization the right way and avoid investing in “catching up” a couple years down the line, so even if you don’t process EU citizen data, you should be working towards the changes and requirements established by the GDPR.
Once you’ve achieved compliance, maintaining it is a whole new game, called “Privacy by Design”, but that’s a topic on its own right. So we’ll save it for another time, stay tuned!
