If you work with data or IT at some level, then you’ve probably heard people talking about the General Data Protection Regulation, better known as GDPR — usually with mild trepidation.
It’s certainly something that’s worthy of our attention and regulators haven’t been slow to harness our interest with promises of astronomical fines and aggressive enforcement.
But does it have to be the nightmare everyone predicts? Not necessarily. It all depends on how proactive IT teams are, and how effectively they use the communications infrastructure within their companies. It’s easier said than done, but it’s all about educating staff and setting boundaries.
Naturally IT teams have a lot of work to do when it comes to preparing their systems for the onslaught of the new regulation, but that’s not specifically the focus in this instance, because for all the controls and limitations the technicians can enforce, there’s one pressing threat that isn’t going anywhere — the human factor.
Like it or not, employees themselves remain the weakest link. For all our benefits, humans also represent something akin to a perfect storm when it comes to data protection, thanks to our resistance to change and penchant for straying from the rule book. As the Information Commissioner’s Office (ICO) has noted, a vast majority of data breaches in recent years have been thanks to human error, rather than system flaws.
Putting in-depth IT solutions to one side, what can companies do using their own employee facing technology – such as Office 365 and SharePoint – to improve the plight of their data protection teams and stay on the right side of what promises to be an aggressive piece of regulation?
The answer is quite a lot, so let’s start by breaking it down by GDPR’s four central themes:
Accuracy and transparency
GDPR forces firms to be far more upfront about how they use data than ever before. This means communicating to customers unambiguously about how their data will be used, and sticking to it.
From a compliance perspective this gets tricky fast because one person’s clarity isn’t necessarily the same as another’s. It also means a whole host of new customer conversations are going to have to take place and there’s a risk much of the data that informs a business today could evaporate by next year.
Through in-office communication tools like Yammer, companies can add ready-made, searchable scripts suitable to any situation so that employees have the correct, safe wording for any situation on tap.
What’s more, by setting up GDPR specific channels, Yammer can be used to quickly communicate best practice among relevant employees, showing how to approach clients to improve the likelihood of keeping them on board and even taking the opportunity to build on any existing relationship.
Data, under GDPR, will be a far cry from the resource it once was. Rather than being a goldmine of information that can be mined again and again whenever new insights are needed, companies must stick to a rigorously defined remit and only use data for the specific purpose(s) for which it was surrendered.
Here again internal communication needs to be on point. IT teams can classify the data according to the uses for which it was intended but the limits of that use are at risk of becoming grey areas. One particularly versatile solution is to set up a chat bot within programs like Yammer, which can be programmed with the technical detail and perhaps even be linked to the archive of data permissions.
That would mean employees can ask specific questions about how to use types and pockets of data and get a specific answer, without days and days of retraining or a wide margin for error.
The responsibility of the company is clearly defined as to provide security against “unlawful processing or accidental loss, destruction or damage.” It’s a line that’s easy to cross through even the most basic act of carelessness.
Assuming IT teams have put a few fail-safes in place, the biggest risk of things going awry will come from the data that escapes the controlled infrastructure, particularly via hard copies and emails. You can use basic software like Office 365 to employ keyword scanning, and raising red flags when an employee is at risk of sending or printing something with the hallmarks of containing controlled information.
Collection is where GDPR really holds companies back. The data collected must be adequate, and only adequate for the narrowly defined purposes under which it was collected. Simply hovering up available data for its richness will have to become a thing of the past.
This is where old habits really die hard. In order to overcome the human element, systems for data collection will have to be well thought out and closely interlinked with existing employee infrastructure.
By linking together the systems employees habitually use with the programs that capture, store and protect customer data, the compliance friendly path can also be the path of least resistance. “Safe” behaviors can be linked directly to familiar processes, and doing everything by the book can be the natural course of action.
These are just a few ideas as to how existing communications infrastructure can be brought to bear in support of a step change in information regulation. Getting it right won’t be easy, but the time to be hammering out solutions is already upon us.
GDPR comes into force in May 2018. The clock is ticking.