GDPR is about people, not data
As humans become more able with technology and data, it’s hard to know who to trust. Alexa is always listening, Siri seems to read your thoughts, and there is plenty in the news about data breaches and privacy malpractice. It is important to remember that when we talk about ‘data’, we are talking about PEOPLE. The General Data Protection Regulation (GDPR) is vital in helping people rebuild their trust and to feel safe.
At Novacroft, we have had the ‘double whammy’ of ensuring that our business is GDPR compliant, as well as also making sure we help protect our clients from risk and reputational damage. We very quickly identified that GDPR is an opportunity. An opportunity to further simplify our processes, an opportunity to continue to protect our clients and their customers from risk and an opportunity to demonstrate that we care.
We’ve jotted down a few of the things we’ve learned along the way. To help you to really understand what needs to be done and to put GDPR into context, read on…
Getting your whole team engaged is hard yet essential
To be effective, protecting data (every person’s information) must be second nature. The first step in becoming GDPR compliant, as part of strategic review and planning, is motivating the team. You need to show what’s in it for them. At Novacroft, our data is important and therefore it is our responsibility as individuals that we stand side by side to protect others. From talking to partners and clients we know that it scares people, and can be a hot potato! You need to remove the myth and fear, simplifying the complex where you can. Build team awareness in the business, through classroom training and communications, thinking about what motivates them.
You need to resource it
Complex organisations may have ‘pockets’ of people who are dealing with data and GDPR compliance differently. For organisations with people in the field, GDPR could be the last thing on their mind. You must ensure that you resource accordingly, don’t wait for data controllers to tell you what to do and don’t assume data controllers are ready. You may have to lead them.
"We want to ensure that we demonstrate that we cherish not only our client personal information, and their customers’ data for that matter, but the personal information of potential new clients, our team, suppliers and partners. I’ve found that going through the process to GDPR compliance has given us the opportunity to rethink and simplify how we ‘do’ our own comms."
Louise Wilce, Marketing Communications Manager, Novacroft
Having a DPO from a well respected organisation is essential
It made sense that we appoint Lorraine Orr from the British Standards Institute as our Data Protection Officer, as we have long standing relationship with them, not least because we are ISO 27001 accredited. It is important to us that we have the trust and recognition of working with this known brand from our clients, plus Lorraine is extremely knowledgeable and proficient.
You could be GDPR compliant and still have a data breach
When digging deeper into clients, 3rd parties (suppliers) and processes in more detail, it became apparent we could still have a data breach. You need to review data processing risks from a GDPR perspective, taking into account risk and human error. Our mission is to reduce probability of a breach, for example making identification and verification more robust.
"To protect our clients and their customers we have done a huge amount of work to get everyone in the right place. By working side by side with our clients, the team here, and BSi, we have hugely reduced our risk of data breach, reputational damage, and fines"
Debra Charles, Founder & CEO, Novacroft
Automate as much as you can
It is important to systemise where you can, otherwise this will become very resource absorbed, which could impact customer experience.
There are free tools out there
We used tried and tested tools to map our data and complete our data inventory. There are fantastic, free, resources on the Information Commissioner’s website, there is no need to start from scratch.
Privacy information needs to be in plain english
Whether it is contract amendments, privacy statements, or team member training, you must use simple and easy to understand language without legal speak: it’s really important.
GDPR really is an opportunity
Having robust processes, demonstrating knowledge and understanding, caring for your clients and their data all creates opportunities to improve conversations with clients and boost your reputation.
We have worked side by side with our clients, and have run workshops to help them get to the root of their data processing methods, and identify where, together, we can implement permanent countermeasures to reduce risk.
My final message would be to encourage you to tell your customers what you are doing with their data. Show them your processes and safety measures. We wholeheartedly support this transparent way of working, and believe it contributes to building and maintaining that all important trust, enabling customers to feel safe.