Stibo Systems - The Master Data Management Company

GDPR: The DOs and DON’Ts of Personal Data

June 13 2018 |
3 minute read

The 25th of May 2018 has come and gone, and the General Data Protection Regulation (GDPR) is now official. In this blog post we'll share a few insights into what you as a business should—and should not—do, in the wake of the GDPR.

Taking on GDPR

Do view the personal data rights as natural, and free, services to your customers

The rights associated with the GDPR that individuals can now exercise mean that your business is obligated to provide consumers with certain information. You have to give them information about the period and purpose of their data processing. You also have to perform actions on their behalf if required, such as moving data to other organizations, completing or correcting details on customer profiles, and even deleting contacts. And, all of this must be done free of charge for the individual.

Instead of seeing them as inconvenient duties, view these as services you provide to your customers and prospects—services that, so far, differentiate you from non-GDPR-compliant businesses. And, like any other customer service you provide, do it with a smile. 

Do change your business mindset and culture about personal data

By now you (hopefully) have the systems and processes in place that are required by the GDPR. But, there’s still a task that awaits most companies: changing how you and everyone in your organization view your personal data. In fact, the “your” in the last sentence is exactly what needs to change. The personal data that the GDPR was set out to protect is no longer yours. It belongs to the related individual. You’re merely borrowing it to deliver a service or a product, and so need to treat it with the respect it deserves. The change management perspective of this thinking should not be underestimated. So, if you haven’t already started internal campaigns around this, start now. 

Dos and don'ts of the GDPR 

Do think data protection into all business aspects

The GDPR needs to be an integral part of how you do business now. With every new project, initiative and system you launch, you need to put on your "data protection glasses" right from the start. Ask yourself:

  • How are we constantly training our employees to handle personal data?

  • How do we cope with onboarding personal data into our enterprise systems?

  • How are we internally communicating the importance of protecting personal data?

  • How do we cope with personal data in contracts moving forward?

Do keep upping your data protection efforts

Just because your business is GDPR-compliant does not mean that you can lean back and expect all your data issues to be solved, and the affected data kept safe. Data breaches will continue to happen. New regulations will at some point occur as data usage evolves even further. Consumers will develop new expectations above and beyond the GDPR as soon as the protection level required by the GDPR becomes the norm.

So, you might as well prepare for all these things and be proactive instead of reactive. Make sure you have a clear and relevant data breach communication and action plan ready. Keep on educating yourself on the data protection market evolvement, and make sure investment willingness is in place as this is an area that will only continue to gain more importance.

Dos and don'ts of the GDPR

Don’t give up

Although GDPR deadline is past due, far from all companies that need to be are compliant. But, that doesn’t mean they should give up. As we see fines starting to mount, don’t panic; just keep on going and start changing your processes, systems, communication, etc., one step at a time. 

Don’t ignore requests from individuals

The one thing that will put you right in the spotlight of the European Commission is if you fail to deliver on the rights that individuals may exercise towards you. Consumers can formally complain about you if they feel you are failing to protect their personal data. And, if found that you aren’t GDPR-compliant, you risk a fine as big as up to 20 Million Euros or 4% of your annual turnover. So, even if you and your employees are crazy-busy doing other stuff, do not ignore a single personal data request from a consumer. Prioritize the resources it takes to deliver what is asked for, even if it costs you—because, if you don’t, it might end up costing you a lot more. 


Don’t be afraid to delete data

The consent aspect of the GDPR is probably where most businesses are hesitant, simply because it can potentially cost them a big chunk of their customer and/or prospect database. Legally, you now have to have action-based, purpose-specific consent to collect and process someone’s data, forcing companies to re-ask their entire database for their consent. Not getting it means that they have to erase the related data, scaring many companies away from doing so. But, it shouldn’t. Instead, view it as a way to clean up your contacts and only keep the ones that actually wish to receive marketing and communication from you. Don’t be afraid to delete data from those not interested. If they’re not even interested in receiving relevant emails from you, chances are they’re not going to buy from you anytime soon.

Don’t let your personal data efforts negatively impact other processes

Just because you have changed your business ways in regard to collecting, processing and storing personal data, you shouldn’t change everything else. Don’t stop sharing data with third parties if that has proven a success for you earlier. Just make sure your partners are GDPR-compliant as well. Don’t give up on trying to create personalized customer experiences because there are limitations to the data you can collect. In fact, try harder. Don’t let the GDPR be a barricade for innovation and creative thinking. Think GDPR into your creative processes, and let it be an enabler, not a barrier.

dealing with gdpr

Master Data Management Blog by Stibo Systems logo

Martin Samuel Nielsen is the Chief Information Security Officer (CISO) at Stibo Systems. Martin, who has worked with information security in some of Northern Europe’s biggest companies, including Vestas and Velux, has a great passion for making data protection and information security an integral part of the daily business processes. He holds several personal information security certifications, such as CISA, ESL, CISSP, CISM and CRISC. Martin is also the leading force behind Stibo Systems’ ISO/IEC 27001:2013 certification, the international standard outlining best practices for information security management.

← Previous Post
Next Post →

Direct in Your Inbox

Enter your email address to receive notifications when new blog posts are published

Build Your Business Case

Estimate the ROI of your next demand management project.

Calculate Now

Stibo Systems named Champion

in 2022 MDM Market Update by Bloor Research

Access the Report