2018 is now firmly underway, and with it the new legislation for 2018, in particular GDPR, the General Data Protection Regulation, which is on the final run down until implementation on 28 May this year.
There has been plenty written online about GDPR compliance already. Since the New Year it has become a popular blog topic. Indeed, most large businesses already have had large central programs underway for some time.
Mapping of data and the basis of processing should have been already established. Privacy notices and any updates to data policy may have already been completed and processes to notify breaches to the regulator within 72 hours should be established and all ready to put in place.
Even unstructured data, such as emails, files, spreadsheets and paper should now be getting mapped. It will now all be discoverable under the GDPR regulation and needs to be in scope.
However, despite the work by central teams, with less than two months to go, we need to ask ourselves the question, ‘Are we operationally ready?’.
Operational Readiness
Undoubtedly impacts on the Collections and Recoveries process are expected. Business As Usual, of course, does not stop whilst changes are made and some of the changes could potentially be significant.
5 areas of focus: Being ready is being forearmed
- Legal basis for processing: Whilst the contract with the customer may be relied on in many cases, vulnerable and mental capacity cases are expected to fall under a special data category requiring consent. Ensure you have processes to handle this and be able to answer customer questions on their rights in order to remain compliant.
- Unstructured data: All data, including spreadsheets, files and emails are now included in scope. This will impact non-core and ad hoc processes such as back office and escalations. Ensure you have this data mapped, it is discoverable and needs to be made available under a Data Subject Access Request.
- Data policy: Retention and deletion policies need to be defined and executed against. This could limit your performance MI history and data used for risk modelling unless care is taken.
- Data Subject Access Requests: These currently attract a £12 fee and it is estimated 80% of all requests are deterred by this fee. Under GDPR, this will now be fee-free, with data returned within 30 days, so request volume is expected to increase significantly. Ensure you have adequate staffing and procedures and that staff are trained to handle the volume.
- Control Framework: Ensure there is a robust control framework to monitor performance and evidence compliance. This will be important to ensure sustainability of compliance, protect your brand, customers and company in any audit by the ICO.
Time is running out
Certainly, there is much more awareness about GDPR requirements than there was back in 2017; indeed there has been a flurry of activity recently. Under GDPR, managers are now of course directly accountable for non-compliance.
However, with the countdown to implementation now measured in weeks rather than years, this leaves little time to get ready. With several weeks needed to hire and train, for internal staff, some aspects of this deadline have already passed.
Whilst the central team may have provided great support to date planning and explaining the legislation, the ‘rubber needs to hit the road’ and changes to customer-facing processes and communication are now required.
Ensuring you have a dedicated team of SMEs to support this change, one which is adequately resourced so not to impact your ability to produce Business as Usual results, is going to be critical in the run up to and post May 2018.
Despite the short deadlines, there are still options available and at Arum we have already been supporting clients with this change, providing expert resource to help prepare, with SME resourcing available to help keep things running smoothly.
Sometimes everything just needs to be done (including BAU), so if you have any doubts that you’ll be ready for GDPR, please get in touch and we’ll be happy to assist you with resourcing to get the job done in good time.
Chris Warburton – Lead Consultant