A simple path to full GDPR compliance after the 25th May

GDPR Compliance has been overcomplicated and re-interpreted by many perhaps overblown by some. Compliance should not be complicated. Companies should seek to be totally compliant however how does one prioritise? The deadline of the 25th May has passed in a cloud of (sometimes unnecessary) emails.

So how does one proceed with compliance after the big day. On the path to compliance we need to make sure we don’t overcomplicate and that we create systems that are sustainable overtime. The big wave of panic and rushed compliance effort has passed, but the legislation is here to stay.

Here’s how to approach the long term with a clear head:

• What you should have done so far (or should do right away)
  The first step is to get your marketing and touch-points up to scratch. So the Privacy Policy and Terms on your site should have been updated to explain how exactly you collect and use prospect and customer data and any forms that collect information from the website should by now have the relevant check-boxes.
• Once your public-facing platforms are sorted you need to look at the data you have in hand. By now you should have appointed a data protection office who is in charge of making sure the processes and breach-response systems are in place.This officer needs to have a list of how the data enters your company, how the data owners are informed of how their data is being used and have a details description of why and how this data is used, how long it is stored etc. This information should also extend to when and how this data is released to the data owner and if any other third parties.
• You need to train your staff and make sure they are fully aware and trained to follow GDPR compliance regulations. To keep your processes safe from staff misconduct it is also advisable to invest in software that is already GDPR complaint such as Microsoft Cloud email technologies. It’s important that you bridge the knowledge and technology gaps within your company in relation to GDPR.
• You finally need to make sure that everyone including your clients, is well informed about the communication channels that have been put in place to report or draw attention to GDPR misconduct across your whole organisation. It is not possible to control the behaviour of every person in your company, it is however possible to make sure you have the processes in place to manage concerns before they become a breach.