The year leading up to the May 25th deadline for GDPR was a frantic sprint to the finish line for many. Companies raced out of the starting blocks with controls and processes to meet compliance requirements before the deadline. Research from McKinsey released in April this year revealed that many didn’t feel prepared and resorted to temporary measures and manual processes.
These ‘stopgap solutions’ or temporary process fixes wouldn’t have been checked or tested. At the time, the priority was to bring systems and processes to an acceptable level of compliance, not necessarily to build sustainable controls. Now, with the deadline having passed and with compliance here to stay, the real challenge for businesses will be compliance sustainability. Are you prepared for the marathon ahead?
Whose interpretation is right anyway?
The challenge for many was that, while comprehensive, the GDPR guidelines have told companies what to do, but not how to do it. This ambiguity and a lack of case law leaves GDPR compliance methods open to interpretation. Many companies will have spent a large amount of money and time interpreting the guidelines. The procedures they put in place to meet compliance standards will be based on an interpretation that still achieves their business objectives but what works for one company, might not work for another.
However, in the sprint to the deadline, many wouldn’t have had the time to take a more strategic approach, looking at how their changes would impact their customer experience or workflows. For instance, hundreds of email notifications around GDPR and intrusive privacy and cookie notices could have had a negative impact on the consumer.
Many businesses will have been tempted to simply bolt an additional process onto existing workflows. However, unnecessarily complex processes could negatively impact efficiency as well as the customer experience, ultimately affecting the bottom line.
Then again, with a looming deadline and massive penalties at risk, a more sophisticated approach takes time and money which many smaller organisations don’t have the resources for.
Getting marathon fit for GDPR
The challenge facing many following the deadline, is to ensure that the processes implemented during the sprint will produce the same results in the long run. Initially, the measures put in place will feel like an additional burden on already stretched teams. As the dust settles, it is important to ask yourself if these measures are sustainable or if there are more efficient ways of maintaining compliance.
Adding to the pressure is the uncertainty around the number and types of information requests that are received and what really needs to be done in the event of a breach. Customers are increasingly aware of their rights and concerned about the use of their personal data. Third parties will also want reassurance that the data you process on their behalf is secure. Under GDPR, companies must be prepared for information requests from a range of stakeholders including partners, interest groups, the media and other individuals exercising their legal rights. Additional controls around customer interaction must be both effective and efficient. Failure to respond appropriately could potentially waste time and negatively impact customer satisfaction.
The efficacy of controls can diminish over time. Businesses should look for opportunities to improve their controls as part of wider efforts to streamline processes. Automation will become an increasingly important part of sustaining GDPR controls in the long term and key to this is gaining the right tools to support you in your compliance efforts.
Wolters Kluwer’s GDPR solution, CCH GDPR Compliance, reduces the risk of non-compliance by giving accountancy practices and their clients an intuitive cloud-based hub. With customised, thoughtful workflows that simplify the compliance process by organising it into clear, simple and assignable tasks.
Risk management approach
Effective risk management and review is fundamental to sustainability. Other than the fact that GDPR requires a regular review of compliance measures, their effectiveness in the long term will come down to a timely evaluation of what is acceptable in terms of risk management.
One way to ensure constant review of processes is by implementing a plan-do-check-act cycle for control and continual process improvement. A key question to ask is whether your compliance measures are introducing delay, customer frustration, excessive manual processing or unacceptable levels of risk of non-compliance into your business.
GDPR compliance will evolve as your business progresses. Over-cautious controls which felt relevant during the sprint, may become less relevant as time goes on. If companies are to address the expectations of customers and regulators alike, it’s time to develop a roadmap to sustainable solutions.