“No legislation rivals the potential global impact of the EU’s General Data Protection Regulation (GDPR)” — so said Jay Cline, PwC’s US Privacy leader, when the organization released its GDPR Preparedness Pulse Survey earlier this year.
And many businesses share Cline’s sense of awe. The survey shows that three in four (77%) US businesses are so keen to comply that they’re setting aside funds of at least $1 million to ensure they’re GDPR-ready; 68% are even earmarking up to $10 million for their preparation efforts.
However, it’s what they plan to do with their GDPR allowance that’s most interesting. More than 70% intend to implement a new framework — Privacy Shield, specifically created by the US Department of Commerce to help ease compliance — and a further 64% plan to centralize data centers in Europe. It seems the reason behind the big budgets is that businesses believe the only way to be compliant is rebuilding or rehousing their systems. Just 58% plan to lock down existing data processing first by setting up model contracts with their vendors.
So, is complete reconfiguration the best way forward and if not, what’s the alternative? To find out, let’s take a look at the four key steps to GDPR preparation.
1. Start by taking stock
The best place to start? Take a step back and look at the bigger picture. Review the tools available to help – from vendors providing GDPR-compliant programs, industry bodies offering educations sessions, to case studies of lessons learned – there’s plenty of support available.
Internally, a review of current data processes is crucial, including: where personal data is stored, how it is used, what security measures are already in place, and which third-party vendors are allowed to access it. The last point is especially important for marketers who may be using a number of different vendors to build, deliver, and measure their campaigns, and consequently have a larger network to secure.
2. Don’t be overzealous
While the urge to rip out current infrastructure and pour large budgets into replacing it with new technology is understandable, it’s also unnecessary. The GDPR’s requirement for ‘privacy by design’ stipulates that all new systems must be geared towards privacy from the get-go, but this rule applies to future measures and is intended to drive better design going forward.
Instead, by tracking all current processes, you’ll be able to produce a map of data flow that highlights potential security gaps – such as areas where sensitive information is at risk or partners whose privacy protection methods fall under GDPR standards – and immediately take action to ensure they are plugged. For the majority of marketers, the path of least disruption will then lie in determining which systems are already secure and bringing them together.
3. Set rules everyone can follow
One of the great things about the GDPR is that it’s one defined set of rules, which is exactly what’s needed to make sure internal procedures adhere to the laws. By building bespoke internal guidelines and processes for meeting GDPR criteria you can guard against possible slip-ups and boost your standing as a privacy-conscious brand.
It’s also worth implementing an extra precaution — creating an in-house team of privacy experts, dedicated to monitoring governance and keeping it on track.
4. Communication is key
The last step, but one of the most crucial to success, is making sure every alteration is communicated — from changes in data handling procedures, to adapted terms and conditions — with your employees, partners, and audience.
Privacy policies have often been subtly displayed on webpages, but now they should be placed front and center – ensure your teams understand and enact this change. Transparency is key and helps build trust and rapport. Your audience will have no reason to utilize opt-out capabilities if they understand a value exchange is taking place and their privacy is complied with, and respected. GDPR should be viewed as a springboard to begin transparent privacy conversations with your audience – it’s not something to hide.
The arrival of new data laws may seem unnerving, yet it doesn’t have to inspire a full system reboot. By closely examining current procedures and systems against GDPR requirements, businesses in any sector — including marketers — can reorganize and streamline their existing tech set up, rather than pouring funds into starting over. The GDPR is designed to be an update for the digital age, not a processing endurance test.