Excuse me, sorry to bother you but…
This morning, something unusual happened. I started a conversation with a stranger on the Tube in London. For those of you outside London, or the UK, this is a big social no-no; London Underground trains are famously devoid of conversation, unless people are talking with their existing friends; this would be unthinkable in places like Liverpool, Manchester or Newcastle. This behaviour, often cited as evidence of the rudeness of Londoners, is actually borne out of respect for others, but there are other factors, like not wanting to be overheard.
However, this means that you never start conversations in a tube in London, unless a – the train you are on has been extremely delayed, or there is some sort of genuine time-bound crisis, b – there’s an unusual event on (a sporting event – say, England playing at Wembley – or extreme weather of some description) or, c – there’s a dog or other pet on the train. In these scenarios, it is acceptable, as a Londoner, and a Brit, to start conversations. But that’s not why I started my conversation. I noticed that someone was working on their GDPR response!
Admittedly, this immediately broke another faux-pas on the tube – that I confessed to reading someone’s screen next to me. Whilst actually seeing other people’s papers or devices is inevitable on a crowded train, owning up to it is a big problem. So, I obviously started with a fulsome apology.
“I’m terribly sorry for disturbing, but I couldn’t help but notice that you are working on a GDPR response. How are you finding it?” Or something like that.
After the initial shock of being spoken to on the train, the lady – a head of department at a fashion retailer – said yes; actually, it wasn’t her responsibility, but she was applying for budget to get the relevant resource to address the issue. She didn’t want to disturb her team too much because they had their own job to do. I got the strong impression that she felt it was a major imposition on her team, considering they have targets to hit, and this had been sprung on her team.
And I think that’s why I decided to speak up in the first place, because it strikes me that GDPR is something of a genuine time-bound crisis, although not confined to a tube journey. And it’s made worse by the fact that no-one is talking about it with each other.
With data protection threats – cyber security in particular – one of the best practice recommendations is to talk with your peers about what threats or challenges are out there, so that everyone can be better prepared for issues that they might not have faced yet, but others have, and vice versa.
But this is not what happens with data protection and GDPR. Your own customer data, so the logic goes, is your own, and even talking about how you manage it, risks your key IP or customer base. There is, of course, some sense to this logic; the very people who would most value your customer data are your direct competitors. But competitors are not the same as peers; one of the interesting things about insight and analytics is the techniques and principles can apply across sectors much more readily than other areas of business.
One of the worst punishments is solitary confinement, because it enforces introspection and makes you think that your problems are not shared by anyone else. From a business point of view, this increases the likelihood of making poor decisions. And this seems to be happening with how many businesses are tackling GDPR. To be clear, GDPR is a positive step forward, and it represents a real opportunity for how businesses can manage customer data and engage with customers better. But at the moment, some organisations seem to be panicking, as they try and do this on their own.
So, here are a few tips on how to preserve your sanity and integrate GDPR:
Ask your business how they use the data they already have.
If they don’t use it, and if you don’t need the data for other regulatory or contractual purposes, this is an opportunity to reduce your risk and delete, or stop collecting, the data.
If you have questions, ask the ICO.
They are very helpful. I think a myth has developed, suggesting that the ICO are ambush predators, just waiting for the slightest mistake or missed timeline before pouncing and punishing you with the maximum possible fine. And if you speak with them, they will simply turn that into evidence against you to demonstrate your failings or lack of knowledge. But actually, they are very helpful, and very informed. They have a helpline that you can phone (it’s designed for small businesses, but actually anyone can speak with them) and they will answer your queries. They won’t provide actual legal advice, of course, but they can give you guidance about how your plans compare to others, and they recognise that there are some areas where the messages might not be consistent, so will actually take feedback and consider whether it needs to be addressed. This is a very impressive, and pragmatic approach. So don’t feel like you can’t talk to them.
Factor this into your existing Cyber Security management processes.
You will have an existing policy or programme around Cyber Security and other areas of data protection. Customer (and indeed Employee) Data Management will be part of that. One of the things the ICO will be looking for, in the event of a data breach, is whether you as an organisation are taking data protection seriously. So, a credible, regularly updated and tested Cyber Security process will make a difference to how seriously they will take you. So, make sure you are doing this.
It’s a journey, not an end date.
Quite rightly, there’s a lot of focus on 25 May 2018. But, as the ICO has already said, it’s not as if the world changes at the beginning of June. The purpose of the legislation is to improve how consumer data is managed, handled and regulated. The process doesn’t end in May; it’s not as if you get all this work done in the next couple of months, and then that’s it. If anything, that’s only just the beginning of the journey. And the ICO would want to see evidence of that journey; this should be an improved way of thinking about how you engage with customers that stretches out into the future. And if you start with that attitude, many of the challenges turn into opportunities to work better and more efficiently.