What Do I Need to Do to Become GDPR Compliant?

Guest post by Tanya Kennedy Luminati, MatrixMaxx Product Manager

What are the next steps once you know what GDPR is?

Officially start your security/compliance/privacy efforts

This is your first step: Read about GDPR on the Matrix Group blog, and start to learn more.

Track any efforts 

Team meetings, staff meetings, webinars, research, actions. It is widely recognized that not everyone will be ready for the May 2018 enforcement deadline, so it is critical to show a good faith effort in starting your analysis process. Documentation of your efforts is critical to proving this.

Learn more!

Many groups and vendors are offering free webinars on GDPR. Sign up and attend one; the more you know the better informed you’ll be.

A variety of organizations are hosting forums on this topic. For example, if you are an ASAE member, you have access to their GDPR collaborate forum.

Figure out your organization’s role

There is a shared responsibility for this between the Controller and the Processor.

  • A Controller is the person or organization that actually determines the purpose and means of processing personal data that they hold.
  • A Processor is the person or organization that processes data on behalf of the controller. (Matrix Group is a processor, along with countless other 3rd party vendors/providers that are providing services and systems like hosting, CRM, AMS, CMS, email marketing, marketing automation, etc.)

Matrix Group, as a web services and software provider, is a Processor of data. Matrix Group’s clients are Controllers of their data. (e.g., The Association of Widget Makers, The Society of Professional People, ACME company, etc. are all Controllers.)

In other words, we here at Matrix Group must provide tools to support the processes and procedures of GDPR, but Controllers have ultimate responsibility to determine how GDPR will impact them, and then use the tools vendors/processors (like Matrix Group) provide to put processes into place to comply with GDPR.

For example, if a user requests access to all of their data …

  • The Controller is responsible for training staff to recognize this request for what it is and to gather necessary data from all systems (AMS, CRM, CMS, marketing automation system, email marketing system, etc.)
  • Matrix Group, as a Processor, is responsible for providing tools to help with this. (e.g., Our MatrixMaxx AMS has an Individual Participation Report that aggregates most of the data that we hold on the individual, and we’ll be upgrading it soon to include even more, such as the recent login and page request history)

Do a gap assessment: Where are you and where do you need to be?

The key questions to ask all revolve around your data:

  • Where are we getting data from?
  • What data are we storing and where is it being stored/
  • How are we using, handling, and securing the data while we have it?
  • Where are we sending data to?

And once you’ve analyzed your flow of data, it is time to analyze what you need to do in order to comply with these new regulations. You may need:

  • Management resources, to help establish and enforce new policies for data collecting and handling
  • Technical solutions and tools to deal with the new rules
  • Legal advice to help rewrite your privacy policy or deal with the more complex aspects of the regulations

Reach out to your vendors and partners

At this point, any software/system partner should be thinking about their response to new privacy and security regulations like GDPR.

Here at Matrix Group:

  • We have obtained our SOC2 certification in security. SOC 2 is an auditing procedure that ensures we securely manage data to protect the interests of our organization and the privacy of our clients.
  • Our compliance committee meets monthly and has been discussing GDPR for many months
  • Our IT team meets weekly and GDPR has been on the agenda for months
  • The MatrixMaxx AMS team has been working on multiple upgrades to ultimately allow clients to better comply with the GDPR regulationts:
    • We already have in place several reports that would allow the association to quickly/easily share information with anyone who requests a report of their data. (Individual Participation Report, Login Report, Page Request History report)
    • We are in the planning/development stage of an Anonymization function, which will allow the association to anonymize anyone who wishes to be forgotten, without losing the core transaction history in the record
    • We are researching and planning the best way to offer Consent functionality that complies with the double-verification requirement
    • We are monitoring and discussing with our 3rd party partners, like forums and email and marketing automation

Is there a checklist for GDPR ‘compliance’? Can we all get certified as compliant?

The concept of GDPR compliance certification has been established in the regulations, but it has not yet been fleshed out to the point of actually going into practice. So at this point, as of March 2018, if someone tells you they are certified compliant with GDPR, that is false.  

Looking ahead

We are moving into a permissions-driven economy. The days are vanishing when you can get a hold of someone’s email address and then send them endless amounts of email. You are going to need to politely and persuasively ask them for their data and explain how you are going to use it. You are going to need to be thoughtful about it. And you’re going to need to respect their desire for privacy while also wanting to utilize of your services.

As marketers of services, this can initially seem frustrating. But turn it around and think about yourself as a consumer. Haven’t you griped about the amount of email you get? Haven’t you wished your name would stop being shared with companies you don’t care about?  These regulations are coming in effect to force a worldwide respect of individual privacy and to make the cyber-world better for all us as individuals. In time, we may even view this focus on privacy and security as an implicit expectation, in the same way organizations are now expected to be think about sustainability as a key operations value. All of this is a good thing.

 

PLEASE NOTE:

This is one of Matrix Group’s installments on GDPR, Privacy, and Security. We at Matrix Group are not lawyers or GDPR consults; do not take this info as absolute. Use this information as a starting point in:

  • Gathering the documentation, processes and tools you need to assess and support your obligations under GDPR
  • Planning for a future where respect privacy and security are implicitly baked into our all our processes and systems, regardless of country