Ben Dodson, Managing Director, The Bespoke Group

Over the last few months, we like many businesses in Europe have been working towards GDPR certification and the ability to demonstrate our compliance. The project was initiated to satisfy new EU legislation that comes into force on May 25^th 2018, with potential fines and legal ramifications for European businesses that don’t comply.

However, thanks to much publicised data breach issues such as the recent Cambridge Analytica and Facebook news story, there is now a much larger focus on this topic worldwide. In fact, we now have customers outside of Europe asking us to demonstrate our GDPR compliance as a part of their own data privacy process.

These customers are looking for us to identify what data we hold about them, their employees or customers, and then to prove that we handle that information professionally. Thankfully, in most of the important and more vulnerable areas where personal data is managed, we realised that our processes were already robust enough.

But in kicking off the project, and if I’m totally honest, the whole subject looked a little daunting. The biggest challenge we faced was in knowing where to start and what was expected of us.

After some online investigation and initial legal advice from a friend, we found some really useful resources. If you’re a UK business and haven’t yet started your own GDPR project, we would recommend you:

• Look at IT Governance’s ‘EU GDPR Infographic: What the new Regulation means in 1 minute’
• Use the help tools and then register with the Information Commissioners Office (ICO)

After having looked at these ourselves, the most revealing and helpful exercise we were advised to do, was to sit in front of a white board and map out our client and employee data journey. For clients, this involved plotting the process of winning them to management of their account/project, understanding any prospect or customer information we hold on their behalf, to closing their account down at the end of the relationship. For employees, this started from the recruitment process through to new starters, ongoing employees, leavers and then how we handle ex-employee information.

We were constantly asking ourselves, ‘what information do we hold about them, where, how and by whom is it held, and at what point do we erase it?’. This really helped us to understand our existing processes and, fundamentally, any areas for improvement.

As it turned out, most of our critical data points were around the handling of our own employee and ex-employee data. Data we hold about them personally, from their financial details to previous references, home address details and even photography.

Having done this exercise, we were able to start working on some internal process documents to demonstrate how we manage this data – of course, we also initiated some mini projects to improve processes in a couple of areas too. We then started work on some internal and external privacy documents that could be shared with customers, prospects, employees and visitors to our websites.

With these roughly in place, we then registered with the ICO as linked above. Expecting a rigorous and legal registration form that we wouldn’t understand, it was surprisingly quick and easy to fill out – taking approximately 30 minutes. And, given that our turnover is under £25 million, the price was minimal too. Having filled out the form, we received certification in only a couple of days.

As an international PR & Marketing agency working in a diverse set of markets from print, to telecoms and satellites, energy, utilities and hospitality, we are fortunate to have a growing business with an amazing team and an exciting client base. But, from a management perspective, it’s easy to get caught-up in the day-to-day and the perennial focus on revenue and profitability. So, despite the catalyst for this procedure being somewhat thrust upon us, I have to say that, personally, I’m very glad that we did it.

The process has also led to us asking some valuable questions about how we manage other types of data. It’s also helped us to establish more efficient ways to manage a whole host of other processes and internal tasks too – from general business management to HR, IT and Finance.

While I’m sure that we’re only at the start of our data privacy journey, we now feel that in having undertaken this process, we understand our business much better. And, crucially, we now feel a lot more informed, empowered and confident about how we manage the data that we hold.