How might GDPR affect different business functions?
GDPR is a fast-approaching regulatory update that has been cause for much concern among business leaders and in many cases is only partially understood. While some organisations were highly proactive and ensured they were hiring change project managers at the beginning of 2017 to prepare for the enforcement date, 25th May 2018, there are still uncertainties surrounding the new regulations. So what does it all mean and how will it affect your business? Beyond that, how will it affect various business functions and how will the different departments need to react?
Simply put, there is no one simple plan for GDPR - it will mean different things for different businesses and different functions within your organisation. From a hiring perspective, there will almost certainly be the need for new team structures, new hires and shifting responsibilities.
GDPR is undoubtedly going to mean change for your business. Each function will have different responsibilities in the lead up to and after the enforcement of the changes. None of these teams are impacted in isolation, it is the whole business which will need to react and adapt to the new legislation. However, there are ways in which each department will need to act in order for the whole business to be prepared.
IT professionals have been and will continue to be, responsible for the development of new IT systems, improving infrastructure for data storage and improving data security. As the traditional custodians of data, the IT function will in all likelihood sit at the heart of compliance efforts. While it is other business functions who are ultimately responsible for implementing the right procedures it will often fall to the IT team to advise on best practice and bring their established knowledge of data and systems to bear on the wider compliance programme.
Legal teams will need to draft new policies and procedures, existing policies will also need to be reviewed and amended in order to ensure compliance. Many companies will need to consider bringing in a data protection officer (DPO) to manage the relationship with the regulatory body and determine when and how to report any breaches.
For HR, it has meant a re-evaluation of the way employee data is stored, what data is collected and how it will be managed moving forward. There is now a need to ensure there are clear processes for the retention and deletion of data as well as processes in place for Subject Access Requests. Privacy notices will need to be in place for all employees in addition to data protection policy. Third party contracts will also need to be updated to ensure compliance. The sharing of data, particularly outside of HR, will need to be minimised and encrypted wherever possible.
Marketing teams will need to develop more transparent customer data collection methods and the level of interaction will be completely determined by the consumer. When speaking to clients Amie Hemson, Senior Consultant for Michael Page Marketing, has received the following feedback surrounding GDPR: “There is a predicted loss of revenue from direct marketing campaigns (both email marketing and direct mail) and also telemarketing. As a result, I have seen organisations investing in other revenue streams such as ATL (above the line) channels. Within the charity sector, there has been a greater shift towards trusts and grants fundraising and partnerships. There has also been an investment into data and compliance teams.”
The digital function within your business will be fundamental in ensuring that the marketing team’s collection and storage of data is compliant. Managing the existing digital platforms or introducing new management systems to better suit the company’s data will be a key role in the lead-up and in the continued management of GDPR compliance.
Procurement and Supply Chain
Within the procurement and supply chain specialism of your business, professionals will be required to liaise with suppliers to ensure that contracts are governed in compliance with GDPR. In order to do this, businesses need a sound understanding of the data flows and contractual arrangements that support the supply arrangements. While it is vital that you take all precautions to efficiently manage your contracts, Cameron Smith, Director at LDPS Consulting says: “Suppliers will also need to be reasonable and understand their risks of data management in the negotiation of the terms and liabilities. Give and take is required by both parties.”
Despite the concerns which these changes have evoked, there has been a significantly positive response to GDPR. It has been recognised by many digital and IT leaders as an opportunity to reassess the way their business captures and manages data. This analysis has not only allowed for the improvement of IT infrastructure to ensure compliance but also how the business can better use these systems to improve everyday processes and procedures.
Emma Durbridge, GDPR Digital Project Manager at Diabetes UK, had this to say on the topic:
“The coming changes are hopefully going to improve communications between businesses and their supporters, users or customers. Digital teams know that the platforms they use and strategies they have in place will greatly contribute to these relationships – improving current user experience and journeys.
“Prompting businesses to alter the way they collect, use and store data has given digital leaders, amongst others, the chance to look beyond short-term requirements for compliance and think about how we can all make positive, socially responsible changes for the future.”
Through careful evaluation of the risks to your business and a sound strategy to ensure compliance, GDPR can be viewed as a push to improve your current business infrastructure that will ultimately improve your data management, facilitating streamlined processes and therefore more efficient decision making throughout the organisation.
If you would like to learn more about managing your GDPR strategy and who should be involved, be sure to check out our article “Identifying the right people to manage GDPR”. Alternatively, get in touch with one of our specialist consultants for a confidential discussion or submit a job spec to start the search for the talent you need.