The GDPR will be enforced in just about one month, which means it’s more than time to take the matter head on! Not sure where to start? You can begin by reading the ICO’s guide “Preparing for the GDPR: 12 Steps To Take Now”.
Whether you are in charge of data processing or a subcontractor, you will likely realise that there is a lengthy to-do list when it comes to compliance with the GDPR: security, legal, organisation, business, and client experience challenges could arise. If you don’t have sufficient internal resources (no legal department, no GDPR-savvy Data Protection Officer), don’t go it alone!
Law firm and data companies: a winning team
Your first thought might be to solicit a law firm when it comes to GDPR compliance. You’re not wrong! But involving someone who is an expert in data strategy can nicely complement legal aid. This is especially true if data is at the heart of your digital strategy and you use specific data processing tools (web analysis, media-buying, reporting, DMP, etc.) which require full knowledge of their functions and business challenges.
The law firm is ideal for:
- Helping you to interpret the GDPR and answering questions such as “When must I get user consent?”, “How should I treat the data of prospects vs. clients?”, and “What and how should I communicate with my clients?”
- Assisting you with administrative formalities with your local authority (if needed)
- Drafting or updating legal documents (contracts, data protection policies, charters, legal mentions, personal data registers, etc.)
- Informing your Data Protection Officer (DPO) of his or her new responsibilities.
Simultaneously, the data company can assist with:
- Completing the preliminary audit and defining an action plan, which includes evaluating preparedness for the GDPR, examining current systems, identifying main steps to be taken, and organising fittingly.
- Digging deeper in certain technical areas, including examining specific tools (such as your tag management system or web analytics tool), market surveillance (e.g. identifying best practices for retargeting), recommending a procedure of detection and notification for data violation, establishing a data pseudonymisation method (CRM identifier, etc.)
- Unburdening the legal aid where possible by taking on some of its responsibilities such as mapping personal data, formalising purposes for each instance of data processing, identifying subcontractors, educating/raising awareness about GDPR, suggesting internal and external communications strategies, keeping the record of processing activities, taking the project management in charge, considering the place of “privacy by design” in digital projects, etc.
- Ensuring that data used for marketing purposes is in compliance with GDPR (for example, for user list creation and e-mail campaigns)
It’s not too late to take steps towards GDPR compliance. Depending on your needs, your industry, and your company’s maturity, decide which players will be best for your team: just a law firm, or a law firm working with a data company, or a data company working with your own legal department. You can combine them as you wish so long as roles are clearly defined and each team member brings its own expertise to the game.