It’s been months since the European Union introduced its new General Data Protection Regulation (GDPR). Companies around the world have been scrambling to make sure they’ve met data storage consent rules, while also working out how to respond to customer enquiries about data retention. However, many of the more subtle aspects of GDPR best practice have been lost on firms who have ensured basic legal compliance and promptly forgotten all about it.
GDPR shouldn’t just be a regulatory responsibility. It also provides opportunities for companies to refine their practices and improve data management. In a post-Cambridge Analytica age, this is crucial for reassuring customers, as well as avoiding punitive penalties. These are five advisable (yet often overlooked) GDPR practices that 100TB would recommend to any client:
#1. Study the regulations in detail to identify potential benefits.
Don’t skim-read an executive summary of GDPR to ensure you’re legally compliant, and then move on. This is a golden opportunity to ensure your business only retains essential information about customers and suppliers, through a process known as data minification. These efficiencies may also lead to cost and efficiency savings – simpler databases make mailshots quicker, extra office space created by eliminating archive rooms, etc. Don’t forget GDPR applies to paper records as well as electronic ones.
#2. Appoint one person to the role of GDPR manager.
Ensuring legislative compliance is too important for anything to fall through the cracks, particularly as customers must be notified of a potential breach within 72 hours. Allocate responsibility for implementation and monitoring to a single individual. He or she must take the time to understand client lifecycles, from onboarding to offboarding, devising appropriate processes at each stage.
#3. Train staff so they understand the rules and implications of a breach.
GDPR has business-wide implications, and the appointed officer should educate staff about individual roles in achieving long-term compliance. This needs to be done in jargon-free language to avoid people losing interest and tuning out. Conversely, staff will adhere to the rules if they understand the benefits of GDPR – and the penalties for breaching it.
#4. Investigate archiving and data destruction processes.
If you had to destroy data, how would you do it? Would deleting everything on your C drive leave copies in the cloud, in email PST folders, or in ring binders? Data wiping now requires auditing records to prove that information was fully expunged in accordance with regulations. Achieving this involves staff training and standardized record-keeping, and identifying and resolving any weaknesses or errors in the existing system of data erasure.
#5. Develop a streamlined offboarding process.
Offboarding is a regrettable but necessary part of any company’s operations, saying goodbye to former clients before erasing their data. Yet the temptation remains to maintain archives (more commonly silos) of information ‘in case’ the client returns, even though GDPR stipulates data can only be retained if it’s absolutely necessary. Firms may wish to advise departing clients all correspondence and materials held on file will be deleted – it could even underpin a final push to retain their custom. Are you sure you want us to forget you?