This is a special guest post by Phil Rothwell, formerly Managing Director of Sellerdeck Ltd, now founder Director of EcomEvolve Ecommerce Evolution Partners.
GDPR: The Management Perspective
Anyone who has begun to look at the General Data Protection Regulations (GDPR) will testify that there is a lot of it and it is quite complicated. When I first read it, I concluded that most small businesses are going to struggle to meet its obligations in full.
As the Cambridge Analytica scandal has served to underline, however, data security has become a global issue. Consumers are becoming more aware of the risks and there is a real threat that your business could suffer irreparable damage unless you take the GDPR seriously.
Action is Required
From a management perspective, there are two things you need to know about the GDPR. Firstly, the maximum fines that can be levied upon miscreants (EUR 20 million) are vastly greater than those that can be imposed via the current Data Protection Regulations. Secondly, company officers are now legally obliged to report incidents where data security has been compromised.
As company owners, we are all used to being held legally accountable for the operation of our business, so in time this is something we will get used to. In the short term, however, what is concerning about the regulations is that no one really knows for sure how to implement them correctly and none of them have been tested in a court of law.
To its credit, the Information Commissioner’s Office (ICO) has been making some soothing noises. The vibes are that, for now at least, they are not seeking to make “examples” of businesses. companies that make honest efforts to implement the regulations will be “helped” rather than “penalised”.
Where to Start
The biggest problem with implementing the GDPR is their scale, which is overwhelming. I can guarantee that by the time you finish reading the first page of the summary, your head will already be spinning!
I have concluded that the best place to start is to focus on the core of the regulations and here are my 5 top tips for moving forward:
- Acknowledge that GDPR implementation is a business process problem; it cannot be resolved with a software update. You are going to have to write down how you intend to comply with the rules, even if you are a micro-business
- Do not play fast and loose with your customer data. Start by assuming that all the personal data you keep wherever it is and whether it is in clear text, encrypted or anonymised needs to be protected in the same way. Make a list of everything you hold and where it is stored
- Initially focus attention on understanding “the lawful basis for processing”. These laws lie at the centre of the regulations. Pay special attention to the meaning of “consent”. You can’t assume that you have permission to use your existing marketing lists
- List the different ways you do with your customer data and then identify which lawful basis applies for each usage. Be careful, these decisions will be difficult to change later.
- Identify how you need to change your current working practices to comply with the rules.
At this point you will be in a good position to start implementing the GDPR in your business.
Finally, do not be afraid to ask for help. We all hate spending money on services that add nothing to the bottom line. But, getting help from people who have a little more experience than you will, in the long run, save you time and help you to avoid the potentially ruinous costs of failing to comply.
About the Author
Phil Rothwell is an ecommerce consultant with more than 30 years’ experience working in the Internet and IT industry. He was formerly the managing director of Actinic Software and Sellerdeck and is respected by friends, colleagues and customers for his integrity, experience and skills.
You can contact Phil at http://www.ecomevolve.co.uk/gdpr-implementation-support-for-sellerdeck-users/