“Opportunity is missed by most people because it is dressed in overalls, and looks like work”, said Thomas Edison.
With the GDPR clock ticking for marketers, it’s time to strip down to the bare bones of how to build a GDPR task force so your business can hit compliance deadlines and you can get ahead of the curve.
A six-phase framework for your GDPR task force
This six-phase framework helps you work out who needs to do what in your business, and when. While the marketing team may not necessarily drive your GDPR strategy, it is in your interest to get involved and make sure this happens.
Accomplish the tasks below, and your business will have reduced costs and risk, improved customer service and created a great marketing advantage.
1. Educate your staff
Hold presentations and workshops to raise awareness and educate staff on GDPR. This includes the leadership team, which needs to have a more in-depth understanding of regulations and their impact on the business.
Where you don’t have the in-house resources for training, consider offering online training courses designed with specific roles in mind. For example, Me Learning has developed online GDPR courses in several areas, including with the Chartered Institute of Marketing (CIM) to educate and support marketers.
2. Ownership and discovery
This is where you work out who is responsible for what.
Who is responsible for GDPR compliance?
Start at board level and work out who will be accountable, and who will oversee your GDPR compliance project. Appoint a project manager and team that covers all key stakeholders in your business, including marketing, IT, finance and other relevant business units. Larger SMBs will want to appoint a Data Protection Officer (DPO) in alignment with GDPR. You may also want to appoint legal advisors at this stage.
Where GDPR priorities are likely to pull project team members away from day-to-day work, plan for any resourcing gaps you may need to fill. Data managers and marketing technologists will create the biggest shortfall in your marketing team.
What are they responsible for?
Your GDPR task force is responsible for identifying all the internal processes that involve collection, handling and deletion of personal data in organised, centralised or ad-hoc ways.
They will also need to list all external suppliers that have a role in collecting, handling and deleting personal data connected to your business. Clearly, the marketing team has a big part to play in this – ultimately, you need to understand and influence the flow, recording and security of data, but the remit spans the business.
For example, Finance may outsource payroll, HR may use external recruitment agencies but also holds personal and sensitive data, and your IT team maybe outsources development work and uses real data for testing.
If necessary, use external questionnaires and diagnostics to assist with your analysis. IT tools can help locate and categorise data.
3. Conduct a gap analysis
To work out where the gaps lie, your GDPR task force will need to conduct a thorough audit and analysis of personal data acquisition and data processing and deletion. Create a simple “red, amber, green” (RAG) health check report that grades compliance of all the data handling.
Conduct a business risk assessment to outline commercial risk and appropriate actions required. Larger companies may want a legal advisor to review this.
4. Planning
With relevant stakeholders involved, your project team should now:
- Prioritise changes, based on the RAG health check and business risk assessment
- Turn these priorities into a simple, costed project plan
- Review and agree plans, with full support of the Board
5. Implementation
Key deliverables will include these four tasks:
- Make the technology changes required to your infrastructure, business lines and systems. Allow time for any ground-up redesigns.
- Rollout new GDPR-compliant processes and documents such as contracts, policies, job descriptions and processes for handling subject access requests
- Execute an employee engagement programme to explain the changes in detail and make sure they know how to report potential non-compliance or breaches – they are your eyes and ears on the ground
- Where relevant, communicate externally with customers, partners and suppliers. Marketing can use this as an opportunity to show the outside world that you’re on top of things and creating a more transparent, trusted and customer-focused business
6. Monitor and review
Finally, your GDPR task force should tick off the following:
- Define how compliance will be monitored and how often
- Add these new monitoring processes to existing processes
- Add GDPR progress reviews to Board meeting agendas
- Larger companies should add GDPR to your strategic risks log as an ongoing item.
The role of the GDPR task force will be more of a challenge for some, depending on size, structure and complexity – and of course how personal data is already gathered, stored and used. But it’s not difficult to see how executing these tasks and setting up these new systems and processes, could take your business and marketing to a whole, happy new level.
As Winston Churchill said, “A pessimist sees the difficultly in every opportunity. An optimist sees the opportunity in every difficulty.”
To find out more about the CIM/Me Learning GDPR training for marketers, click here.