Skip to main content

How Can my Company Prepare for Full GDPR Legislation?

    Since GDPR was officially introduced in May 2018, it has become a cross to bear for companies that have had to scramble to introduce systems that will protect them from data privacy enforcement agencies.

    The European Union has tried to help them achieve compliance but, four years in, the law remains somewhat ambiguous and official guidance continues to be inadequate. 

    Overall, it’s an icky situation for companies given the cost and time required to respect GDPR rules.

    This article runs through the five key steps you’ll need to take to get your company moving in the right direction.

    Step 1: Get Management Onboard

    GDPR necessitates “privacy by design” - a deceptively simple phrase that belittles the scale of the task at hand. 

    For, this phrase makes data protection the north star that navigates every system, process and procedure that your company is built around.

    Now, this is no small undertaking because it requires massive investment of capital - research has shown that nearly half of companies spend €46,000 on GDPR compliance, while 10% spend over €900,000 (Help Net Security).

    And that’s just the money.

    In practice, the process of meeting GDPR requirements means a huge cultural upheaval for organizations - who will fundamentally have to rip everything up and start again from the beginning.

    Obviously, this means that GDPR compliance must start with authorization and support from the very top of your company. But, with the fines for misuse of data big news, they are already no doubt aware of the importance of this work.

    Step 2: Raise Awareness

    Once you have managerial support, the next logical step would be to get everyone at your company trained up on the importance and implications of GDPR for the work they do.

    This training should encompass the basic principles of GDPR, as well as the new systems that will be implemented to ensure that all personal data flows through your organization as securely as possible. 

    Employees need to understand the effect that data malpractice can have on their company - both in terms of the potential for huge fines and the effect that mismanagement can have on future revenue and operational capacity.

    As such, your company must also have disciplinary procedures in place to ensure that employees comply with these new regulations. These should be written into employee handbooks and contracts, with the severity of consequences dependent on the intent or negligence involved.

    Step 3: Delegate Responsibility

    Your company may well need to hire a Data Protection Officer as a matter of urgency - either internally or externally with an outside contractor. 

    This can be a GDPR requirement, but some companies will be exempt - so, it’s important that you investigate this issue carefully.

    And, even if it’s not mandatory for your company, you may want to appoint one anyway to ensure that you have an expert on hand who is able to mitigate the risk of personal data being mismanaged.

    Step 4: Audit Your Data

    The next stop on the GDPR freight train would be a full data audit, enabling you to fully understand exactly what personal data you hold on EU residents and how it flows through your organization.

    Remember that your company is responsible for how any collected personal data is managed by third parties, like contractors, suppliers - including third-party martech providers like cloud software and website analytics tools.

    Step 5: Identify Problem Areas

    Once you have used this audit to create a high resolution image of what happens to personal data within your organization, you can then work out what needs doing to ensure that all personal information is secure as it moves throughout your operation.

    This will enable you to assign responsibility for addressing any gaps to data protection that exist. 

    And, exist they will; you’ll probably have to update everything - from privacy policies and consent notices to data access authority and other technical measures. 

    You may well also have to review third party agreements, and remove contractors that lack real commitment to GDPR compliance, because ultimately the buck stops with you if they fall short of expectations.

    GDPR Compliance is a Journey not a Destination

    Even once you’ve been through these steps and made all the necessary changes, you need to accept that GDPR compliance is an ongoing process - it’s one thing to put systems in place and quite another to ensure that employees continue to follow them.

    It’s easy to look at all the work that needs doing to respect data privacy regulations and lose heart, given the time, effort, and money involved.

    But by breaking it all down into these five stages and approaching it logically, you’ll be in a much better position to achieve your goals.

    If you’re looking for more comprehensive information, we’ve published a range of resources to help you with compliance. These include a GDPR and Data Privacy portal, a detailed Compliance Checklist and a Downloadable Guide for marketers.

    With the right guidance, you’ll get there in the end so feel free to follow those links and arm yourself with the information you need.