Guest blog by:

Paul Dawson-Hart, Member360

My first ‘eye opening’ GDPR experience was sitting in a room studying for GDPR exams with a mix of Information Governance/InfoSec consultants, multi-national aerospace, defence, IT and pharma organisations as well as a guy from GCHQ who said he worked at Matalan.

As the sole membership sector representative I was somewhat unsure as to my comparable level of knowledge around GDPR, how to go about preparing for it and then of course, transferring that knowledge back into the sector.  Looking back now it should have been no surprise that we were all in the same boat.

There are no GDPR experts

Yes, there are those that have extensive backgrounds in the audit of compliance with the existing directive, but is it realistic to proclaim to be an expert in something that hasn’t been fully thrashed out yet?  There are recitals to consider, member state derogations in the pipeline (such as the UK’S here) and finally; and most importantly – the case law.  The legislation is peppered with words such as: ‘suitable’, ‘reasonable’ and ‘proportional’. Consider the responsibility of the controller (that’s membership organisations) for example:

“The controller shall use only processors providing ‘sufficient’ guarantees to implement ‘appropriate’ technical and organisational measures ‘in such a manner’, that processing will meet the requirements of this regulation and ensure the protection of the rights of the data subject”

Furthermore Giovanni Buttarelli, European Data Protection Supervisor is not expecting guidance on actual GDPR certification arriving until the end of this year – read here.

In 2017 I’ve been involved in many an interesting debate with marketing professionals around pro-active consent, what to do with legacy data, data portability and the dreaded ‘legitimate business interest’ argument.  Unfortunately, as we know all too well in the membership sector, it is dangerous to listen to those that shout the loudest.  Everyone is clambering for the latest very same ICO email update to base their latest opinion piece on.

Finally, there are ‘a few’ technology providers and in particular CRM vendors advertising ‘GDPR compliant’ solutions. I’ve seen this at GDPR branded seminars targeted at those interested in changing CRM.  No surprise perhaps considering a recent survey suggesting almost 40% of charities are considering changing CRM due to GDPR, more information on that here.

There is no GDPR compliant CRM solution, there are no large scale CRM vendors that could build one in advance of May 26th 2018 and there are no ‘GDPR experts’ that could realistically tell them how to do so (yet)

So what should we do and who should we trust in order that we can get ready?

I have three starting tips for your journey to GDPR readiness:

1) Ensure you understand and engage organisations/individuals that know both the legislative GDPR text and the legislation it replaces

Often the slides that generate most debate in my presentations are those that are simply referring to enforcement around current legislation i.e. Flybe, Talk Talk & the RSPCA . Yes, they are fascinating to talk through but there is nothing new here. That said, it is of course a useful ‘conversation starter’ that Talk Talk’s £400,000 fine could have been £71,000,000 under GDPR,

Ensure those internal/external who undertake this work have a background that demonstrates insight of both new and existing legislation, enthusiasm as to the positives of GDPR, as well as the challenges of applying these principles, ideally in your own sector! Be wary of those who’ve simply done a course in GDPR and are now an expert! Would you engage a project manager for a large project just because he/she’d been on a 1-week PRINCE2 course?

2) Consider this as a major business change exercise

The challenges of GDPR readiness are similar to those of any large scale change process that impacts on people, processes and technology – whether that be a full restructure, CRM implementation or a digital transformation.  Look for those with experience getting senior level buy-in, engaging change champions and combatting change resistors such as your sales/recruitment team who may want to retain their hidden data silos. They’ll need persuasive skills to sell ‘what’s in it for me’ to your Membership, HR & Finance teams and coerce them out of their bad habits.

In short a cultural change will be needed throughout the organisation to embed GDPR (or even simply meet the DPA), and support the principle of accountability.

3) Beware the ‘Jack of all trades’ but master of none. There is no ‘single lens’ view of GDPR

In association with Memberwise & Latcham Member Engagement we’ve recently organised a GDPR learning event with an expert panel that touches all the bases.

It will cut through the jargon, and the fear mongering,  to provide a membership focused 360° view of what this means and how we  should all be preparing for May next year.

Experts will cover area such as:

  • Direct marketing & Communications
  • Data processing
  • Compliance auditing and risk
  • Data Security
  • Specific membership sector data security insight

This event was in very high demand and is now full but contact me on [email protected] for details of future GDPR events.

In my next blog I’ll look at how the new controller/processor relationship will operate and how you can assess whether your current processors are the right ones for your journey towards GDPR readiness.