GDPR– what is it really about..

   Words by CRM Consultancy

   on 23/05/2018 10:00:00

imageAt this point, almost everyone will have heard about GDPR to a varying degree – but from my experience over the last few months, there are still a number of myths or misconceptions concerning the change in regulation.

Over the last 2 years of helping clients prepare for GDPR, and particularly the last 6 months of ‘get ready for GDPR now’ activity, it has been useful to not only look at the detail of GDPR but more the underlying ethos behind why this is happening.

This can prevent us from just seeing this as a burdensome piece of regulation, and missing how our relationship with data is changing and how companies can and should respond to this change.

GDPR – why is it here?

Over the last 15 to 20 years, we have had a very laisse-faire attitude to how we store and use data – and this attitude has manifested in various bad-practise such as passwords being stored in plain text, or significant data leaks taking place and kept quiet, not as a result of bad IT security but more a bad culture that did not place value on other people’s data.

The main cultural shift of GDPR coming into effect is this change in our perception to data.

In times now gone by, we could think of data as fleeting and valueless but with Machine Learning and Big Data becoming more mainstream, data has become slowly and steadily more valuable. (to the point where business models exist almost purely for data collection to help power research into AI or Targeted Marketing)

Our attitudes to data however have not been moving at the same pace, and GDPR is one step towards correcting this.

For example, if we borrowed a physical item and held this for a client or partner, then we would not imagine leaving this in an unlocked office overnight and not taking any precautions – we wouldn’t think of doing this, as it would be obviously breaking the trust that the company had placed in us to borrow the item in the first place.

But with the changing nature of data we have not had the definition of ‘obvious’ when it comes to upholding or breaking this trust, and the perception has being that the Controller or Company storing the data has had carte blanch – effectively owning the data and not borrowing it from the Data Subject. 

This perception of ownership rather than usage has led to companies and individuals not reflecting on their responsibility, and so storing and using the data in irresponsible ways.

This is understandable as the technology world has been changing, and keeping up with this change can be difficult – yet as technology becomes more and more at the heart of our lives and businesses, this clearly needs to change.  To me, GDPR is a first step to how this should change.

After all, absolutely everyone in the IT Industry knows that we should never store a Password in plain text but several large companies have been found doing just that – this is not a technical problem, it is a cultural one, we simply haven’t valued our customer data enough to take the responsible steps.

Trust

To put the above in practise, we should see GDPR Compliance as more about being a trusted organisation capable of fairly and securely storing Customer and Personal Data.

This is less about ‘opt-in’ emails to secure some form of consent, and more concentrating on transparency of how and why we store other people’s personal data.

At a high-level, this ethos of transparency and trust is how to be truly GDPR Compliant; and will also become more and more important as the economy becomes more connected via technology, and our customers want the security of trusted relationships over potential exploitation of that technology.

For Technical people such as ourselves, this is a natural evolution of trust in a distributed world built from cloud services. (and this is likely why we are all so intently focused on GDPR!)

GDPR is a step to building the framework and common rules that will give individuals and customers this level of trust in organisations.

IT vs GDPR

In some ways consultancy companies such as ourselves have a unique perspective on GDPR, as we have often worked alongside large Banks or other major institutions, and through this we have watched the security landscape change dramatically.

Five years ago I imagine everyone had their own horror stories of security as an after thought, but we have seen this change as IT and Data Security has become a core requirement of doing any ongoing business.

From our experiences in this area, three points can often hamper good security practises in an organisation:

1. Slow unwieldy IT Processes or lack of Technical Expertise mean that governance and security teams cannot respond quickly enough to a changing IT landscape – and that these projects are treated purely as IT projects, and not properly aligned with the business.

2. Conversely more agile divisions in an organisation find ways to work around existing processes to try and deliver better business, but in doing open up security holes as these projects are approached purely from a business perspective without IT input.

3. Data seen as a by product of doing business and not treated with concern; this is particularly true when an organisation does not have the right tools to help make managing easy leading to shortcuts being taken.  This is where the more cultural shift of GDPR outlined above comes into play, and how we can embed this approach across an organisation to operate compliantly as much as be compliant.

From an IT perspective, there are several useful steps to take when considering how we store data:

  • Data Audit - Mapping where and how we store data
  • Security - Security to prevent external actors accessing this data
  • Data Breaches - Documented steps to handle a data breach (whether this be from external actors, or accidental leakage)
    • NOTE: the regulation is more focused on your response and attitude to a breech and not on individual security procedures themselves!  Breaches can and will happen, it is your companies response that will inform how compliant you are.

Principles for GDPR Compliance

There is no automatic right way to GDPR Compliance but the following points should be helpful advice going forward after May the 25th:

  • No magic bullet – in the same vein as no CRM will sale your products for you, no system will make you GDPR Compliant.  Your culture and employees will make you GDPR Compliant – and your systems will help with this.
  • Why are you storing the data? – ask yourself why you are storing data, tag the data accordingly and feel confident that you can justify this purpose.  This is far better than trying to obtain Explicit Consent to use the data in some way, and keeps to the ethos of treating individuals fairly and transparently in how you hold their data and why.  Ensure your CRM or other Database can track this.
  • Make it easy – in exactly the same way as User Adoption, what gets used is what works, so arming your teams with the right tools is key.  If these tools are cumbersome and difficult to use, then we shouldn’t be surprised if people find ways round them and make compliance more difficult.
  • Experts? - In my travels as a somewhat ‘accidental’ GDPR Expert, I have been looking for the ‘real deal’ in certified consultants who could be trusted to sign-off on compliance; however the current certifications and training courses are currently immature and so there is no right way to be a GDPR Expert.
  • Technical Experts – Technical Analysts and Architects can help with compliance, as we are used to mapping out how companies store data to help them understand their ‘data real estate’.  This is not GDPR compliance in itself, but helps understanding where and how data breaches can occur – for example, understanding how systems can generate log files and how this can be a data breach if not managed. (to use a recent example!)
  • Don’t ignore it!  GDPR is likely a first step in re-aligning our relationship with data, and how we come to understand the responsibilities alongside the opportunities that the new tech-based economy offers.
  • It can be an opportunity – putting our customers in charge of their data is a similar activity to making ourselves more customer centric; and customer centric businesses have a good track record of delivering better results and better retention.  So becoming GDPR Compliant will not create performance in itself, but the cultural shift involved can help us in realising more customer centric opportunities.
  • GDPR and CRM - In this bigger picture GDPR can be a natural fit for the CRM industry – in that it is not how a system implements GPDR Compliance, but rather how a business uses systems to be compliant, and this similar to the big goal of CRM, good user adoption.
  • Roles and Responsibilities – know what responsibility we outsource to 3rd parties such as technology providers vs responsibility we retain in-house; and have these roles well-defined (typically as Data Processors in GDPR-speak)
  • It's not here to ruin you! – following new rules can be a pain, but GDPR is more about redefining how we relate to data and not so much on nailing companies to the wall.  The ICO and EU are not likely to start going after any and all companies on the starter pistol of the 25th, but instead expect to see companies gradually improving their processes and attitudes to data,

We have presented on GDPR and CRM several times over this year and the slides form a useful companion piece to this article.

Further Reading

Given our client base and focus on security for Dynamics CRM, GDPR and CRM has been a particular focus for us over the last year, and we have written articles on the topic that may be useful in understanding different aspects of compliance and good general security practises.

GDPR and CRM

Implementing GDPR with Dynamics

Data Breaches by Email

Workspace for GDPR Requests (SARs)

Each of these articles has a section on further reading and follow-up links that may be useful for a deeper understanding of GDPR and the tools that can help.

The ICO and EU Websites on GDPR are also good reading and quite well laid out to avoid death by information overload!

Guide to the General Data Protection Regulation (GPDR)

EU – GDPR Information Portal