Achieving Understanding, Clarity and Action from the market confusion

Guest post by Gordon Petrie, Director of Augmentum 

In Quiver Management we have over the last few months been preparing ourselves for GDPR with the help of Gordon Petrie from Augmentum. We set a high standard for how we deliver our services and protect our clients’ data. Our policies and processes have been thoroughly reviewed and updated. You can see more by looking at our new Privacy Notice.

We have found Gordon’s very practical and pragmatic guidance hugely helpful, and we asked Gordon to share some of his advice in this article.

“The General Data Protection Regulation (GDPR) is the biggest change to data protection law in a generation.”
A quote from Elizabeth Denham, UK information commissioner in May 2017

The subject of GDPR has moved from an almost obscure subject into one of the key business change issues facing all businesses.

The increase in focus from the Information Commissioners Office (ICO) has picked up but there is still high levels of uncertainty and confusion in businesses large and small.

A significant amount of communication and activity around GDPR starts with the details of the regulation which is a key factor in the levels of uncertainty and confusion as it is usually lacking in any context.

If you consider GDPR in the same way you would approach any strategic change, albeit this one is compulsory, then it is possible to get an understanding of what the regulation is trying to achieve. The best source for gaining that understanding is the ICO website (https://ico.org.uk/) as the balance and plain use of language is excellent.

Refreshing business processes

If you approach this as a business process refresh and start with an audit of existing processes focusing on where personal data flows, it will not only help the GDPR readiness, but will highlight process variances.

GDPR will impact pretty much all your business and it is not limited to Cyber Security and Legal documents. In fact, Sales/Marketing and HR are arguably the areas with most change likely. The breadth of change suggests external help and advice is likely to be of benefit.

Time for action

The points listed below can guide your approach to help with your preparations for GDPR and any changes that happen after 25^th May 2018.

• GET STARTED – it isn’t as scary as it is usually portrayed.
• Understand the implications of how personal data is collected, used, managed, stored and disposed of within the business.
• Ensure you document what you do and any decisions you make, particularly of the lawful methods of processing personal data (And remember: CONSENT is only one of six defined ways! We concluded that LEGITIMATE INTEREST was suitable and appropriate for Quiver Management, and this has now been implemented and documented).
• Define the value of personal data to the business, particularly in sales and marketing. Think about profiling your customers if you haven’t already.
• Approach the 3 categories (Staff, Customers and Prospects) in a way that is appropriate to the category.
• Consider your supply chain and ask your suppliers what they are doing to protect data that is passed to them or received from them. Staff data for payroll, pensions, insurance etc should have a priority as it is sensitive data.
• Assess where the data is stored and processed to make sure that the security reduces or removes data risk.
• Create a plan for implementing the changes including updating notices, revising processes, getting buy-in from and training staff and of course communicating with existing customers, prospects and suppliers.

GDPR is a big change imposed upon businesses, but the intention with the change we can probably all support, and it is also a good opportunity to review and refresh our processes.

Gordon Petrie is a Director of Augmentum, a business support consultancy which aims to help business owners break down complex business issues so that they can be understood, assessed and acted upon. Gordon has over 35 years’ experience in the IT sector, which has allowed him to develop a much broader knowledge and approach to resolving process issues. His recent work has focused largely on supporting businesses through GDPR compliance, which he sees as an opportunity to assess, reflect and improve on the collection, storage and use of data in a business.

Gordon can be contacted via email: gordon@augmentumuk.co.uk