GDPR & Technology
The technology systems used every day to capture; store and process personal data need to be ready to meet the challenge of GDPR just as much as your staff and internal policies. Using systems or solutions, not fit-for-purpose is a sure-fire way to undermine your efforts to become compliant.
The four-step process below is a good start:
Taking stock of your technology should be your first step. The number of systems your organisation used to capture, store and process data may come as a surprise. The list could include CRM systems, email and marketing platforms, event management, employee management, spreadsheets, website portals and so on.
Include personnel from different departments in this process to make sure you have a holistic view of your organisations’ data processing systems. Create an inventory of all the systems you use, what they are used for and what information is collected and held.
Are your systems compliant by design or do they rely on a workaround? Do your solutions allow you to meet GDPR now or, if not, can they be updated or upgraded? Will your system enable you to be compliant at a fundamental level, or will it have inbuilt intelligence that prompts all of your users to remain compliant? Sometimes, especially with legacy software, the answer to one or more of these questions could be ‘no,’ and you may need to look at a new solution or provider. Having an honest chat with your primary data-management software vendors is worth the call. They should know best how GDPR will affect their solutions and customers should have resources to make implementing your data policies easier.
Remember, GDPR isn’t just about capturing consent. There’s a multitude of factors including data security, erasure and data portability to be considered.
(3a) If you determine that the system does not meet your needs for GDPR it may be that step 2 revealed some areas where you need to consider new solutions to help you stay on top of GDPR, in which case, a detailed Request for Proposal (RFP) which outlines your requirements would be advisable. See our ‘CRM list of requirements document’.
(3b) Or, you determine that your CRM can support you through GDPR, but your procedures, business rules and configurations need updating, after identifying the gaps in your systems, you need to remedy the situation and ensure a compliant processes. Make sure your technology works for you rather than against you.
Contact your suppliers to discuss options or employ Sirch Solutions to manage the GDPR transition on your behalf.
4.UPDATE YOUR POLICIES AND PROCEDURES, DOCUMENTATION, AND TRAIN STAFF
A DPO or internal committee should be placed in charge of implementing new data and consent management processes. With policies in place, next, you need to update your internal documentation and ensure all staff are trained consistently across teams.
5.REVIEW AND REPEAT
Regularly reviewing your internal policies, procedures and technology ensures you stay compliant across your organisation. The ICO is likely to refine their advice over time, and subsequent laws (for example – the ePrivacy Regulation) may make some new process sub-optimal or even uncompliant.
Having a simple framework in place that allows you to review your systems and procedures, identify gaps and take steps to remedy them ensures that you stay pro-actively compliant. Remember the ICO is likely to look much more favourably on those organisations that are clearly trying to remain compliant, even if and when mistakes occur.
Get Started Now
We are ready to begin working with you to deliver a solution that helps you realise your goals. Contact us today for a free, no obligation consultation.