Strategic measures to rebuild consumer trust always take up more resources than a simple redesign of the website (see Part 2 ‘Boosting Consumer Trust’). They first demand that the CEO and those below him adopt a consumer perspective on data privacy. This was covered in Part 1 ‘Building Consumer Trust’. Suffice to say unless data privacy is taken as seriously at the executive level as it is by the consumer, the company will struggle to comply with the GDPR.

Protection of personal data can no longer be treated as an irksome, low-priority task. To do nothing risks hefty fines, class action lawsuits and loss of brand reputation. No-one is immune from a GDPR audit.  YOUR company could be next to be fined.

Create a New Executive Position Responsible for Data Privacy

Remember the guy with the ponytail and glasses who heads your IT section? First thing you do Monday is to give him a pay rise and bring his grade up to executive level. Give him a title like Head of Corporate Data Protection and Privacy, or something similar. In doing so, you not only make the guy happy; you raise data privacy to the same importance as sales and marketing. You make a statement, not only to your employees but also to your customers.

The new executive determines which data to collect and for what purpose. He will oversee the manner in which data is processed by the company. In GDPR lore he is known as the data controller. Those who process the data on behalf of the data controller are data processors. Both must maintain a data register, with records of all data processed on behalf of the company. 

GDPR requires those companies which process large volumes of sensitive data to appoint a Data Protection Officer (DPO). The DPO's tasks include monitoring data protection, training staff members and answering enquiries. This last task is important. The DPO is often the company’s face on data privacy, but he or she can’t be everywhere at once. This is why it’s important for large companies to handle data privacy enquiries through their customer support team. 

A small business can nominate one employee to take charge of IT security and data privacy. He will report direct to the CEO. Unless they source data from the public sector there is no obligation for a small business to appoint a DPO. 

Hire a good IT company which specialises in server security and data protection. Get them to test your systems for any weaknesses, strengthen your firewall and keep anti-virus software up to date. IT specialists can recommend the best encryption for transmitting data. They can install protocols which allow the data processors to track customer data at all points of its journey. These people understand the nuts and bolts of IT security. They know how to keep your data safe. They’ll even sort out your backup and recovery if you ask them nicely.

Data Protection Compliance Strategy

GDPR compliant data protection isn’t only about IT skills it’s about ethical best practice too. Every company needs a data protection compliance strategy in place: a set of rules every employee can follow. There’s no point having servers built like a battleship if no-one has a clue why data privacy is such an issue.

The first stage is to identify all business processes which handle data, and to fill any holes in compliance. Procedures which address shortcomings become part of the new best practice. An internal data protection audit should be carried out either by the DPO or third-party auditor. This will involve interviewing key employees or issuing them with questionnaires. The audit report will highlight issues which need to be addressed, and from this a plan of action emerges. 

Implementing the new compliance strategy will mean training some (but not all) employees in its procedures. Best practice is to limit access to personal data to a select few. This minimises the risk of an internal data breach. 

The new data protection strategy should be audited at least once a year to maintain GDPR compliance. Random spot checks can detect any lax application of procedures. Data breaches must be reported to the DPO as soon as possible. Don’t ignore the penalties for non-compliance: 4% of annual turnover or up to €20,000,000, whichever is the greater. Remember, GDPR non-compliance can sink a company faster than falling sales.

The GDPR deadline of the 25th May has come and gone, but many companies are still not compliant. If you are worried that yours may be among them, please get in touch. you can call our office on 0203 2878 243 or email info@priviness.eu.

Further reading on this topic:

Data Protection Compliance Strategy, by Thilbaut D’hulst and Lily Kengen, Van Bael & Bellis, law stated as at Oct 01, 2017

Building Consumer Trust, by Pat Conroy, Anupam Narula, Frank Milano, Raj Singhal, Nov 13, 2014

7 Practices to Build Customer Trust with Data Privacy, by Editor, Sept 16, 2015

Back To all catagories