As we reach the end of 2017, you’ll hopefully be well aware that Brexit or not, the EU’s new General Data Protection Regulations (GDPR) will apply in the UK from 25th May 2018. The regulations represent the biggest shake-up in existing personal information protection rules for more than twenty years, and the penalties faced by businesses who fail to achieve compliance, or are found guilty of data breaches are substantial.
The UK’s Information Commissioner’s Office (ICO) will have the power to impose fines of up to 2% of a business’ global turnover or up to €20 million. According to analysis by NCC Group, fines from the ICO against UK companies in 2016 would have been £69 million rather than £880,500, had the GDPR regulations had been in place at the time.
One of the key aspects of GDPR is that of “Privacy by Design” along with “Privacy by Default”. In essence, companies will now be obliged to consider data privacy during design stages of all projects, along with the lifecycle of the relevant data process.
In this article, we will be looking at a number of ways in which centralising personal data a company holds about its contacts within an ERP system like Encore from Anagram Systems can help a business as it works towards GDPR compliance. If you are new to GDPR, we recommend visiting the ICO’s website and reading their policy guidance documents about the subject.
Effective Data Security Management
First of all, it’s important to emphasise the fact that GDPR compliance is, in essence, not so much an IT or software project but something much wider – a legal business regime which demands that businesses think carefully about data management, policy and processes. No single piece of software will enable a business to become GDPR compliant, however, the way in which a system is used by operatives to access and manage data can help an organisation develop its internal policies and achieve its compliancy goals.
The importance of developing an internal data security policy before GDPR becomes law cannot be overstated. In addition to appointing a dedicated data protection officer, businesses must document what personal data it holds, where it came from, how long it has been held, and how it is shared. In order to achieve this, many companies will need to organise an information audit.
A high proportion of businesses are reliant on multiple systems and spreadsheets to manage their contacts’ personal data. The greater the number of systems in place, the harder it will be to manage an information audit. The use of multiple systems also increases the risk of data breaches.
For example, if a salesperson uses a smartphone on which customer data has been stored and the device is left on a train, this could constitute a breach. Similarly, if a memory stick used by the accounts department containing spreadsheets which includes information about suppliers is lost, this too is an infringement. If the marketing department fail to update a contact record or delete it altogether if an individual requests it is removed, this will also breach the new regulations. The ICO’s website will provide you with many more examples.
To make it easier to manage an audit – and regulate the use of data within an organisation – implementing a single ERP system like Encore to store sensitive information can help mitigate against the risks that come hand-in-hand with using multiple applications, thereby reducing the likelihood of a data infringement occurring.
It’s far easier for management personnel to see and control who in a business has access to data using a single system. Encore, for example, includes data access management functionality that ensures that data users do not have unauthorised access to information that is not relevant to their role. It’s far harder to achieve visibility of who is accessing data if it is stored in multiple repositories on different devices, some of which may well be invisible to a business’ management team.
Put simply, the smaller the number of data sources that a company has in place, the easier GDPR compliance will be.
Managing Consent and “The Right to be Forgotten”
One of the most significant aspect of the new regulations is the issue of consent, and the implications this has as far as marketing is concerned. Businesses will now be required to obtain explicit consent to contact individuals for sales and marketing purposes. Companies must also delete information about a contact as and when requested. The regulations stipulate that it must be as easy for someone to withdraw their consent as it was to grant it. This has been termed “The Right to be Forgotten”.
Consent notices need to be written in plain English and explain exactly how a contact’s details will be used. Notices that rely on contacts to uncheck boxes to agree or disagree with terms and conditions are disallowed, as are agreements which contain easily overlooked small print.
Furthermore, a business must be able to demonstrate – if challenged – that a contact has provided consent to be contacted. Many businesses will need to amend the consent notices that appear on their website and any forms they use for collecting data.
Encore includes dedicated Customer Relationship Management (CRM) functionality for managing contact records and histories, enabling users to maintain an audit-trail of all contact touch points, including email correspondence and details of calls and meetings. Consent notices can be downloaded into the system from a company’s website. Scanned paper forms can be uploaded into Encore and stored within contact records.
Similarly, details of all communications are stored alongside details of the Individuals to whom they have been sent, adding an additional layer of governance and traceability.
Under GDPR, all infringements need to be reported to the ICO within 72 hours of having taken place. By using Encore as the single, central repository for all contact information including consent notices, a company can very rapidly access and provide any information required by the ICO.
Safeguarding Data in a Secure Environment
Hardware is also a factor to consider in terms of working towards GDPR compliance. If a company is still using computer operating systems and server infrastructure that is approaching end of life, there is a high risk that it will become unsupported.
It’s only practical for hardware and software vendors to support current products and support is nearly always withdrawn for older, legacy products. This means vendors cease to issue patches and updates which ensure their technology is secure.
If a software system is hosted on an unsupported server, it is vulnerable to attack. If software and data is compromised as a result, the ICO may well find a company culpable of negligence and impose a fine.
Businesses therefore need to make sure their hardware is fit for purpose and properly supported either by its own in-house IT personnel or third party support providers.
The alternative – which may be more practical and affordable for many smaller businesses – is to migrate to the cloud to ensure that software systems and data are maintained in dedicated data centre which has been professionally accredited and certified. Many software developers – like Anagram Systems – are able to provide secure hosting facilities for their software.
GDPR as a Business Opportunity
Although achieving GDPR compliance may seem onerous, it is actually an opportunity for businesses to rethink the way in which they interact with prospects and customers. As the Direct Marketing Association (DMA) recently put it:
“UK businesses should seize upon GDPR as the catalyst to transform their businesses into human-centric ones. They should use the GDPR framework as the foundation for an authentic and transparent relationship with their customers.”
In many cases, better data governance will also help businesses improve their understanding of their prospects and customers. In this respect, GDPR should be seen as a business opportunity for improving data driven marketing.
The ICO website address is: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/