On the 25th May 2018 the GDPR became law across Europe and some of the most sweeping changes to the rules governing the way our data is handled, used and protected will come into force.
There is plenty of information available furnishing people with an ever-increasing range of scary headline grabbing ‘facts’ about the GDPR. However, there is very little information on a sensible approach for companies to follow, especially those using SAP’s range of business software.
Over the coming weeks we will be publishing a series of articles intended to assist companies in their preparations to becoming GDPR compliant. The articles are aligned with the Information Commissioners (IC) excellent twelve step program. However rather than repeat what the IC is saying, we intend to put some meat on the bones and apply the implementation to a corporate setting. Outlining steps, tips and considerations gathered from our years of experience working in the field of SAP, SAP Data Management, and from our experience with SAP GDPR Compliance Projects.
Episode 1 – AWARENESS
Specifically, that you should make key people and decision makers aware of the GDPR. However, the questions we have found that come from that, are what classes as a key person and aware of what about the GDPR?
The GDPR is an enhanced set of laws which apply to the data a business holds about individuals (be they staff, customers or business partners) who reside within a European member state. Failure to comply with the GDPR could result in a very large fine. And so, in that regard the GDPR represents a risk to business. So, when deciding who within a company is a key person or decision maker, first ascertain who within the company deals with corporate risk. This is, at the highest level, most likely be the board members or chief executive.
The GDPR applies to the data that an organisation holds, so as a means to identifying key people within the company it is helpful to consider who is:
- Responsible for the management of the data storage technologies
- Responsible for the management of departments generating data
- Responsible for interacting with staff, customers, and business partners
- Responsible for any overseas offices the company may have
Reviewing this list would suggest that the Chief Information Officer, Head of IT, Head of Sales / Retail, Head of HR, Head of Customer Services and Head of Business Partner Engagement would all be key people with whom you should engage.
Having identified with whom you should engage you should now decide how you should frame your engagement and what information you will need to pass on. At board and senior management level, the concern is centered around Risk, Reward, and Cost. So, frame your discussion about the GDPR in those terms. What are the risks to the company if it doesn’t comply? In addition to the financial impact of non-compliance how will the company’s reputation be damaged and how will that affect the bottom line?
As well as a risk, the GDPR also represents an opportunity for companies to improve they’re processes, technologies and training. It presents an opportunity for the board and senior management to gain a better understanding of the operations of the company and its use of data. Savvy businesses will use the GDPR to increase the levels of transparency, accountability and as a result the level of trust the customer has towards the business.
In addition to understanding the risk and reward associated with GDPR compliance the board members and key people will most likely want to know the answers to a range of questions, including:
- How do we start?
- How long do we have before the law is enacted?
- How much will it cost us?
- How will Brexit affect the implementation of the GDPR?
- How long will it take us to become compliant?
- Who is responsible for us becoming compliant ?
In order to answer these questions, you will need to have put together what can best be described as a GDPR mini-assessment.
Your mini assessment is aimed at gathering information to enable you to answer those questions. The Board of the company needs to be made aware that under the GDPR they will be held responsible for breaches of the regulations. The board need to commit funding and resources to enable the company to become compliant. Which will involve becoming aware of the data that is held, how it is used, how it is generated etc. There may be a need to engage external partners to assist with the compliance project to purchase new technology or modify existing business processes. All of which represent a cost to the business.
Key decision makers and heads of the various departments need to commit to the project. They need to guarantee the removal of ‘walls’ and at the very least allow inspection of data silo’s.
By highlighting the cost of none compliance, tempering this with the opportunities to be gained and being able to provide answers to high level questions around timescales, costs and required resources you will be able to engage key decision makers and gain the support of the board. Both of which are an essential starting point on your road to compliance.
PODCAST – GDPR Compliance – SAP ILM
PODCAST – Moving Towards GDPR Compliance with SAP Tools
Author: Stephen Lofthouse MSc BSc PGCLTHE FHEA is a GDPR Consultant with Proceed. He is an award-winning SAP mentor who has worked globally for a number of years both commercially and in academia.