How to Get Your Organization GDPR-Ready: 6 Practical Tips that Work

May 25, 2018 — the day when the GDPR officially comes into effect — is steadily approaching. One of the most stringent regulations to date, the GDPR aims to ensure the secure and lawful collection, processing and storage of the personal data of EU citizens. So it’s no wonder that FUD (fear, uncertainty and doubt) is growing fast.

To help you get ready for the GDPR and avoid panic during the GDPR compliance audit, we reached out to several companies and asked the following question: What steps has your organization taken to comply with the GDPR and what advice you can give to those who are just starting? We received many helpful and even surprising replies, and we’re eager to share the top six responses.

Jose Romero, Senior Digital Strategist  

Overit, a full-service digital marketing agency (Albany, New York, U.S.)

GDPR has some major implications for our company as well as our clients, many of which have international businesses that rely on frequent communication with prospects, customers and other key stakeholders in the EU. Consent is important, so we have begun speaking to our clients and educating them on how to obtain appropriate consent from users they keep records on or plan to contact in the near future.

Internally, our team has begun gearing up by combing through our contact lists to purge any records of individuals we no longer maintain relationships with and update records for those that have moved on to new positions and are still interested in hearing from us. This includes but is not limited to cold leads, lost leads, bounced contacts, unengaged addresses and media lists.

We have also started the process of reworking our privacy policy on our website and revisiting how we collect addresses, and are continuing to work towards improving our overall communications with stakeholders for both domestic and international contacts.

This is not the first time we have had to beef up our international compliance practices. In the past, we have had to deal with CASL (Canadian Anti-Spam Law) and take precautions there, and I am sure this will not be the last time. As a general rule of thumb, legislation changes abroad tend to set the tone for the industry, so our intention is not just to abide by CASL or GDPR, but to ensure our brand is responsibly and proactively scanning for potential changes in marketing and privacy legislation internationally.

Karolina Rut, Communication Specialist

Sparkbit, a company offering software development outsourcing and IT consulting services (Warsaw, Poland)  

The GDRP coming into force brings huge changes for SMEs like ours. In the first place, we consulted a lawyer specializing in personal data protection in order to understand better what the GDPR act involves and how our company should proceed to comply. After, we started analyzing what data we have, who has access to it, how it is protected, and what the potential risks of data compromise are.

We prepared a very detailed list of each document containing sensitive data and specified how it is stored (printed copy, on a computer disc, in the cloud, etc.). Now our focus is to create rules for handling each type of sensitive data, such as who can access what kind of data, where it should be stored and for how long, which documents have to be printed and locked, which documents can have a digital version, etc. We are also preparing specific confidentiality agreement for our employees.

Right now, we feel kind of ready for the GDPR coming into force. The last thing left is to create a list of potential risks to our organization and data, along with their impact and control recommendations, so we can avoid them.

Ruth Carter, Owner/Attorney  

Carter Law Firm, the umbrella company for the professional speaking and writing activities of Ruth Carter, a licensed attorney in Arizona and an authority on intellectual property, business contracts and internet law (Phoenix, Arizona, U.S.)

I am an internet attorney who advises clients on GDPR compliance, and I am getting ready for the GDPR for my own company. In addition to updating the company’s privacy policy, I added double opt-in to our email list and I am asking my current email list to re-opt-in. Anyone who does not opt-in that I do not know and cannot verify residency for will be removed from the email list.

These are my main pieces of advice for companies working on compliance:

  • Either read the law carefully yourself, or consult a lawyer or trusted provider.
  • Use double opt-in consent for your email list.
  • Do not add anyone to the email list without his or her explicit consent.
  • Be transparent about what data you collect and how it is used.
  • Only collect data that you need.
  • Only allow employees and contractors to access it on a need-to-know basis.
  • Err on the side of caution; the fine for violating this law is millions of dollars.

Hannah Whitehouse, Content Marketing Manager  

Bouncezap, creator of a lead-generation marketing tool used by businesses to increase their conversion rate (London, U.K.)

As a SaaS provider that works with different businesses, we know that protecting our customers’ information is vital. We have recently been focused on rewriting our privacy policy so that our users, and particularly our clients, know how their information is used and that their data is safe. We run a lead-generation tool that provides analytics on our users’ campaigns; therefore, GDPR is even more important to us: Our users will know their information is secure and will not be used in our promotional materials without their express permission.

Over the next two months, we will be reaching out personally to users to inform them of our policy, in addition to clearly displaying new data policy on the website, so that we are protected regardless of which page visitors land on.

I would advise companies worried about GDPR compliance to start now. Ask yourself, do you have a privacy policy? Is it prominent on your site? Is it vague? It’s important to remember that your privacy policy and terms of use are just as much to protect you as to protect your users. Finally, use the plethora of GDPR-related sources online to make sure there is nothing you are missing. The last thing your business needs is to be rushing around right before the deadline still unprotected.

Ian McClarty, President

PhoenixNAP, a global IT services provider offering progressive infrastructure-as-a-service solutions from locations worldwide (Phoenix, Arizona, U.S.)  

If there is any single piece of advice I could give to those who will be affected, it is “Don’t panic.” We saw the regulation as a looming threat we would have to scramble to implement. However, the GDPR is intended to protect the personal data of EU citizens, which is a worthy endeavor. Organizations that show that they are putting forth their best efforts to put personal data protection measures in place do not have to worry about the regulations affecting their day-to-day operations or revenue.

Many requirements are far from clear, and organizations have to use their best judgment when deciding on an implementation plan. Therefore, to do your best to comply with the GDPR, and do not be overconfident in your readiness for it.

Any organization looking to be prepared must take the minimum following steps:

  • Step 1: Ensure that leadership is on board and driving the change. Any effort to implement the policies and procedures needed for compliance requires buy-in of all C-level executives and the expectation that these changes will impact all teams at all levels.
  • Step 2: Conduct a thorough data analysis. Look for all personal data stored in every system everywhere. This is not a small effort and may take months.
  • Step 3: Determine the basis for consent of all data. Once you know what data you have, figure out why you store it in the first place. This is not just an exercise to justify why you “want” to store data. Instead, this step ensures you have a legal, justifiable reason to keep that data.
  • Step 4: Decide on a retention policy. You need to determine how long to retain the data, and what to do with it (delete it, archive it or anonymize it) once you no longer need it or can no longer legally keep it.
  • Step 5: Train staff. While training your entire team is beneficial, initially, you will want to focus on front-line staff who field requests from customers. Next, train back-end staff who manage and maintain the systems and software where the personal data is stored, and technical staff tasked with designing, architecting and building new systems and software that needs to follow the data policies.

Sophie Miles, CEO and Co-founder

QuotesAdvisor.com, a company offering free comparison between personal loans, mortgage credits, pledge credits, credit cards, debit cards and car insurance (Torino, Italy)

We have decided not to ask our users for personal information. Although this choice means losing ground with respect to marketing tools, such as customer loyalty and CRM, we made some calculations and concluded that it would take 26% more funding to change our data storage units and the website to align them with GDPR requirements, rather than just update our website and no longer collect personal data.

Specifically, we decided to remove the entry forms for basic identity information such as name, address and ID numbers. Therefore, we can focus our efforts on the database of our clients, which is much smaller and vital for our business.

Our recommendation for those who have just started is to focus on the most important database. We used to have information about everything, but we discovered that we used only a fraction of it.

Final thoughts

There is no universal formula for achieving GDPR compliance. However, if you prepare by determining what data you have and what you actually need, and establishing proper policies, you can quit panicking — you will not just survive in the GDPR era, but actually benefit from it.

Former General Manager EMEA at Netwrix. Matt holds a CISSP certification and has over 19 years of experience in the cybersecurity industry. He has worked for many organizations, specializing in areas such as risk management, identity and access management, and network and database security. In the Netwrix blog, Matt shares insights on how to achieve greater levels of security and compliance.