Technology is changing the way we collect, process, store and use data in both our personal and professional lives. In the UK, the topic of data protection is more timely than it’s ever been before. With just seven months to go until the General Data Protection Regulation (GDPR) comes into effect, many organisations are concerned about how to transform the way they operate when it comes to personal data.
So, what’s my message to these businesses? Don’t panic! Many are wrestling with a variety of questions on how to prepare, from thinking about building, maintaining and measuring consumer trust, to ways of sourcing and sharing customer and employee data.
There’s no playbook with the specific actions to follow, but I hope the following takeaways might show this regulation as a chance to become aware of the data you’re collecting, the value it creates and the trust you can build with your customers, AND your team and the people in your organisation.
We suggest the following activities:
Map the journey - Businesses collect a vast amount of personal data on staff and potential recruits, everything from interview notes and background checks to fingerprints for biometrics, photos for security passes, pensions data, next of kin details and much, much more. So how can businesses build a full picture from all this data? I’d recommend they map the data journey in the same way a marketing team maps the customer journey. This approach will flag the points where personal data is stored and how it is processed, allowing a risk profile to be created. It’ll also ensure the personal data of unsuccessful job applicants/ ex-employees is deleted as it becomes irrelevant.
Adopt flexible reporting - HR teams routinely take data-sets from various databases and transfer them to custom spreadsheets to run analysis on performance and absentee rates etc. These End User Computing (EUC) documents are highly portable and so often less secure: an HR team member could, for example, lose a laptop with a spreadsheet containing personal data, or accidently send the file to the wrong recipient. Businesses could look to de-risk by replacing EUC’s with a more flexible cloud-based reporting system, that would allow HR teams to query data without having to move the data from the source.
Invest in compliance training - For me, one of the biggest challenges of GDPR is how enterprises can ensure all their people understand their responsibilities under the Regulation; especially if they have large contact centres, training centres, HR teams or other functions that routinely collect and use personal data. This means training on how to handle and protect personal data in a compliant fashion is going to be essential. To help, Accenture has produced a quick online training course that can help businesses prepare their colleagues, covering the responsibilities under GDPR and the implications of their actions around handling personal data.
Enhance your workforce. There is currently a chronic lack of Data Protection Officers (DPOs), and if business don’t act now, recruiting compliance specialists will be tough. If business-as-usual after GDPR comes into effect is to be maintained, technical implementation teams will need a definite boost. For instance, would they be able be handle a flood of data access or ‘Right to be Forgotten’ requests from customers and colleagues? IT will also need larger design teams to ensure privacy is baked-in to all projects. So, organisations should look at talent acquisition programmes around DPO positions, or whether partnering with a third party is a better option.
The above recommendations are a good starting point and there will be many other activities to build into your people approach. If GDPR is to be turned from a compliance headache into a foundation for positive business transformation, then I believe changes in the way we build trust and ensure data protection are crucial.
This will start with the teams we manage and the people in our organisations not only being aware of the regulation, but having belief in the value of these changes and translating this into a new way with their colleagues, customers or citizens.
This blog is part of the Accenture GDPR Series on what it means for your business, colleagues and the broader UK landscape. Over the next months, key elements of the regulations including data protection, digital trust, risk calculation and data consent will be highlighted. If you have a suggestion for a next topic, please email firstname.lastname@example.org.