In today’s customer-led world, handling consumer data is a business critical issue for many organisations, not least Travel Management Companies. Here at Giles Travel, we’re already working to current data legislation. However, we’re constantly seeking to improve our processes and that’s why, with new General Data Protection Regulation (GDPR) legislation coming into effect in May 2018, we’re developing a comprehensive new programme of compliance to ensure that the way we control and process sensitive personal information remains both effective and best practice.
Over the next few weeks and months our Sales, Account Management and Marketing teams will be in contact with you, sharing more information about our GDPR programme and how it affects how we work and communicate with you. In the meantime, does GDPR affect your own organisation? Here’s our top five tips for getting started, and making sure your business is compliant with the new legislation:
- Start now. Commence planning your General Data Protection Regulation change programme now as there are several steps required to ensure your organisation is compliant before May 2018.
- Find or hire a Data Protection Officer (DPO) that will make your GDPR problem interesting. If you can make the problem compelling and the solution constructive, you will bring people on board with the change programme. The ideal person for the job will be someone who is working with customer data to develop insights for your organisation, as they understand how the business wants to use data.
- Identify which processes may cause harm. Make a ‘hit list’ of the processes that are most likely to cause harm to an individual, or the organisation. For example, a GP clinic managing health-related data could cause serious harm if patient data is mishandled, whilst losing the ability to send email marketing messages to your entire marketing database is also harmful. Once potentially damaging processes are identified, describe how the data flows through each process to visualise potential risks.
- Identify the external threats and internal errors posed to data management processes. Have you used a third-party agency to create a data capture device, or, for example, a website or landing site? Make sure they are GDPR knowledgeable and can write programmes and privacy notices that comply with GDPR. Internally, your organisation needs to mitigate errors by ensuring staff are appropriately trained, and records of training are kept.
- Put an Information Governance Framework (IGF) in place. An IGF includes a risk register that can help demonstrate your accountability by documenting how you review and act upon data management issues, especially by those with the appropriate levels of experience and responsibility.