GDPR: are your current processes good enough?

By Phillipe Koenig

It has become evident that non-compliance with GDPR will most definitely be far more costly than compliance. Not only because of the fines the authorities threaten to impose, but also because of the risk of reputation damage and churning clients. While the regulation will certainly put pressure on large corporates, it may pose an even tougher challenge for small- to mid-size companies. So what can you do today to assess whether your current systems are up for the task?

In smaller firms, we often see that the collected customer information spread across multiple systems and communication tools. Think e-mail inboxes (both professionally and personally), CRM or ERP systems, databases, Excel files, folders on employee computers and personal computers, external drives, backups and archives. Furthermore, records such as copies of clients’ passports or prints of tax reports are often stored as hardcopies somewhere in an archive in the basement.

Although this form archiving has never been a real joy, many smaller companies still rely on it to store client data. Source

Until recently, the biggest downside of this fragmentation was that information took longer to find. For example, lawyers in the UK spend an average of 2 hours a day on finding information. Hard to imagine in a Google-world, but true. Other firms hire one or more people to do this work for them: searching through old e-mails and hard-disk folders and ‘unboxing’ archived hardcopies. Apart from this time waste, it is difficult to keep document versions in sync across all the systems and copies, and near impossible to update all at once (for example, when a customer moves houses).

With the new GDPR regulation coming in, however, the fragmentation of your clients information poses a more serious problem: not only will you need to have a complete overview of which information is stored where, a so-called “data-inventory”; you will also need to justify how it is protected and how you’ll abide to customers requests to transfer or delete all of it.

So let’s go over how GDPR could work with e-mail, customer relationship management software (CRM) or ERP systems and archives.

E-mail, CRM, ERP, archives and data rooms.

Do you use e-mail to interact with your customers? Think carefully about what type of data you ‘store’ in your inbox. The amount of uncoordinated data that lies in inboxes is usually far beyond what we think. This becomes a liability with GDPR, as creating a data inventory out of your inbox is almost impossible. Tools: e.g. Outlook, Gmail, and Apple Mail

Do you use a CRM, ERP, or other customer management software such as accounting or asset management tools? If yes, do you store personally identifiable information in it (PII)? What do you do with it? If your systems integrate with other systems, is it an ID (e.g. customer number) that you hand between systems, or the full text? What about encryption? It is advisable to check this with your system providers, they should be able to help you answer most of these questions. Tools: e.g. Salesforce, Microsoft Dynamics and Capsule

How do you archive your customer data? Is it physical, or digital? Do you store too much, or just enough? For how long? How do you find the data you store? Is it stored securely? Who can access it, or parts of it? For example, if you store your mailing list in an Excel sheet on your companies’ Google drive, think about who can access it and whether those people really require access. That also applies to data rooms, often used to give others access to information of sensitive nature.

Finding the right balance between properly securing your client data and being able to easily access it, can be a lot easier than most people assume. Source

8 Steps to self-assessment

To provide further structure to the above questions and expand it to other systems you may currently use, we have listed 8 steps which will help you assess where your firm is at when it comes to GDPR compliance.

  1. A good start is to write down what data you currently keep. Are they names, addresses, photos, perhaps also service- and communication history such as e-mails or letters?
  2. Do you really need it? List which data is really relevant. If you don’t need it, delete it and stop collecting it.
  3. Next up is: where do you store it, and where can you find it?
  4. List where the data should not be. Delete it there (suggestion: personal computers or inboxes are hard to manage and should be on top of this list).
  5. Consider how long you really need to store it. Some type of documents you need to keep for 5, 10 or 20 years by law, but others may not need to be kept for that long. This can also save you archiving space (whether it’s physical or digital).
  6. Write down a ‘procedure’ explaining what happens if a client wants his/her data removed or transferred. Clients can not only revoke consent, they can also request that their data is deleted. This is referred to as the ‘Right to be forgotten’. Furthermore, clients can also ask for a complete copy of their data, including communication history. By law, you must be able to provide both within 30 days. If you’ve completed step 1–5 above, you should know where to find which data. That being said, archiving duties carry a higher weight than GDPR. So if you need to keep something based on archiving laws, then you can’t delete it. However, you do have to inform the customer when you are going to delete it instead.
  7. Have a look at your Terms of Service. Does it ‘hide’ certain clauses? Under GDPR, clients need to be clearly informed which data is collected and how you process it. For example, if they provide their e-mail address for login, there has to be a separate opt-in box to give consent for a newsletter.
  8. Do your systems offer a do not track function? GDPR also stipulates that individuals have a right to ‘block’ or suppress the processing of personal data. If an individual decides not to be tracked, this should be as easy as (un)subscribing to a newsletter.

GDPR is an opportunity, too.

If GDPRs core aim is to change how businesses process and handle data, let’s see this as an opportunity for high trust businesses to redesign internal processes in such a way it impresses both the regulators and their customers. Remember that the core of GDPR is that you as a company are responsible to take any possible measure to protect the data you’re given. By following the above steps you’re already off to a good start.

If you want to take it a step further, we’re excited to announce that we have just released new features at Teebly to make your GDPR compliance easier:

Who-accesses-what: sometimes, colleagues or third parties only need to see part of a document or conversation. Teebly equips the people of your choice with tools to easily manage who can see what, and for how long. We’re quite proud of the level of detail in this feature.

Data-at-rest encryption: when data is stored, we apply data-at-rest encryption. This makes it impossible for a rogue employee or ‘visitor’ to reach this data.

Consent management: as simple as flipping a coin, users can granularly opt-in or out of specific data use at any time.

And there’s more where that came from:

Data portability: users can request all info you hold on them. With Teebly, it takes your firm minutes to fulfil this request. Not hours.

Instant wipe: if your client asks for his data to be removed, we automatically collect all relevant data and enable a simple and structured deletion process. Teebly automatically separates data that the law requires you to keep, for the right amount of time. Easy, right?

Storage location: your customers choose the region(s) in which their content will be stored. Apart from a general feeling of safety and control, we found that high net worth individuals specifically appreciate this function.

For further reading, we highly recommend the Information Commissions Office (ICO) official guidelines, as well as the articles of the Deputy Information Commissioner Steve Wood in which he discusses which ‘myths’ around GDPR compliance are true and false. We’re also a fan of Revolut’s clear post and the Financial Times’ explanation video. This guidance to consent is worth a look, too. Finally, we recommend MME as one of the leading law firms on this topic, especially for companies in Switzerland.

Thanks for reading!

The Teebly Team. 

P.S. If you know someone who would benefit from reading this, please do forward!

Do you have questions about GDPR, or whether your current processes remain appropriate under the new regulation? Drop us a message at contact@teebly.co or via www.teebly.co. We’d love to have a chat.