Having spoken to well over 120 companies and organisations now, the key recurring message is either "GDPR, oh yeah, that's an IT thing isn't it?" or "GDPR, oh yes, our marketing team are taking care of that".
The truth is that GDPR is not solely an IT thing, nor is it solely a marketing thing, nor indeed is it a solely a customer service thing or a finance thing. GDPR is a whole company thing.
From the Managing Director down to the intern opening the post bag, GDPR affects everyone in every company in some way (even if it is only in the employer/employee relationship).
So does that mean it doesn't apply to Sole Traders, erm sorry, but no (assuming you have either clients you deal with within the EU/UK or suppliers within the EU/UK) - if that is the case for you, feel free to stop reading this article right now.
Assuming you've read the last sentence, realised that's not you and are reading on, if GDPR is a whole company thing, and it is, how can you turn that to be an advantage rather than an overhead.
In our experience, one of the ways that it can be turned to advantage is that in today's interconnected world, where most communication within a company is more often either an email or an SMS text message rather than a verbal communication, GDPR can prove to be a rare opportunity to get representatives from all areas of your company in one room (ideally physically but clearly if you operate remote locations then some may need to join the meeting via video link (ideal) or audio link).
Data discovery and mapping is a clear requirement of GDPR, best initiated via a data discovery meeting. These data discovery meetings, if conducted correctly, can provide a real opportunity for each department to learn what data is held and why.
I've lost count of the number of times I've heard "ah, now I see why we need to complete that form" or equally "so do we really hold this piece of information about each client? and we keep that for 10 years?" or even "Why on Earth do we ask our clients that? what do we do with that information once we have it?"
Not only do these data discovery meetings provide a way for the IT manager and their team to identify individual data silos (some of which they may currently be unaware of), but they also enable the company to identify ways of avoiding data duplication and equally of learning examples of best practice from each other.
It cannot be overstressed how important the discovery of individual data silos is - if there is a data breach, or the risk of a data breach, this is significantly easier for the IT director/manager and their team to deal with if they can be 100% confident that they know the location of all data covered by GDPR within an organisation. Equally, you don't want an ICO GDPR audit to be the first time you discover that John in Marketing has his own full copy of your client database on his laptop in an unsecured MySQL database.
It is important to realise too of course, that GDPR is ongoing, it is not as some would have you believe, a one-off event. GDPR is now here to stay. With that in mind though, your business will continue to grow and procedures will be updated. You may also have personnel changes, either as part of the growth of your organisation or to replace staff who have moved on to new ventures. With this in mind, we recommend rerunning the data discovery meetings on a six monthly basis (or three monthly if your company is going through a process of rapid change).
Hopefully that's given you some food for thought. You can find out more about data discovery at our website at https://www.ensurety.co.uk or on our Facebook page at https://www.facebook.com/ensurety.