The EU General Data Protection Regulation (GDPR for short) will be active from the 25th of May 2018. Irrespective of where you are located in the world, if you collect client data from persons in the EU the GDPR regulations are now part of your new standard operating procedures. You will have noticed many SaaS and app providers sending you updates to their privacy terms and conditions. In the past few weeks I’ve also noticed many more websites now showing the banner to notify you of the use of cookies and pixels. This must be related to the implementation of GDPR as well.
What is GDPR?
GDPR is all about personal data and to make sure this personal data is protected from outside attacks. The onus is on the company to proof that they do every reasonable thing to protect their customer’s personal data against misuse. Irrespective of how you process this data: you process and store all the data internally, or by engaging a third party supplier or SaaS provider.
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
It pays to understand the compliance criteria in such a way that you will be able to understand and manage the ongoing compliance requirements beyond May 25th. Every business that uses data from citizens of the European Union will be impacted by this new regulation. This can be customer data, prospect data or cookie data and information you collect because they are on the mailing list.
This date of the 25th of May only marks the starting point from which we need to be more vigilant in how we manage, store and process our customer’s personal information.
Looking at GDPR from this point of view means that the management requirements for GDPR can be split up across 5 different phases. These phases coincide with the general life cycle of a business process. These phases loosely align with Deming’s Quality cycle: Plan – Do – Check – Act (PDCA for short).
- Plan what you are going to do
- Do what you planned for
- Check / study and analyze the results of what you did in the previous step
- Act accordingly – improve the activities, measurements and expected outcomes.
The planning phase can be split up in Recognising the need of change (in this case changes to your processes and procedures to safeguard people’s personal data) and defining what GDPR means to you and for your organisation.
The DO phase includes measuring and monitoring your performance during the active and productive part of the processes.
The Check phase includes a thorough ongoing analysis of the data that came from the previous phase. This is where you use your KPIs and metrics to identify areas for improvement and areas the celebrate.
The Act phase is all about control of and sustaining the ongoing improvement that you started implementing in the previous phase. Once you have these four phases working together you will see process improvement happening in your business. Especially for GDPR this is of critical importance as you need to show best effort to protect your customers personal data. Ongoing improvement of these processes is at the heart of this and will strengthen your case.