The EU’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. Regardless of Brexit, UK companies need to comply with this new regulation or suffer very harsh consequences in the form of hefty fines. This new regulation is the biggest change to occur in data protection regulations in 20 years and complying with GDPR is no small feat.
GDPR is all about protecting data that can be used to identify an individual. The regulations state that an individual must remain in control of how their data is used, stored and disposed of at all times. This mean that ways in which companies collect and process this sort of personal data has to change.
An example of the new regulations is that individuals now have to perform a double opt-in to give consent of their data being collected and processed. They also have the right to be forgotten and can demand proof that their data has been removed from a corporate database. Businesses are expected to be GDPR compliant right from the start of any project, under key aspects of the regulations named “privacy by design” and “privacy by default”. In practical terms, this means that from the earliest stages of planning, before projects are rolled out or new systems deployed, data privacy must be considered.
Enterprise Resource Planning (ERP) solutions have always claimed excellent data storage, accurate representation of data and the centralising of data housed in an organisation. So, of course, ERP and GDPR are connected. However, it’s crucial to recognise that GDPR compliance is a company-wide concern that will require changes to policy, IT security and data protection processes.
Yet your ERP system lies at the centre of your business operations and if your data management solution is aligned correctly, it can play an enormous role in your organisation achieving compliance.
Let’s investigate how a modern, robust ERP system can help a business as it works towards GDPR compliance
Data security management
When last did you consider your company’s data security policy? This is not only about the applications used to gather data or the servers on which its stored. A comprehensive internal data security policy must be developed and instituted before the GDPR deadline and it must include the answers to questions such as:
- What personal data do you hold?
- Where did it come from?
- How was it gathered?
- Who internally has access to it?
- Do they access it from any mobile devices that leave the office?
- Do you keep an asset register tracking location of all company mobile devices?
- Are they able to upload any new personal data from outside the office onto your systems?
- How long do you keep personal data?
- How does your company share this data – internally and externally?
- Do you know where all your data ends up?
- What is your process for deleting old data?
The first step in answering these questions is to undertake an information audit. This audit needs to unpack the management of every piece of personal data you hold, which might mean investigating multiple systems used to collect, process and store personal data.
The more systems your business has in place the tougher the information audit might be. But the consolidation of the information and data from the disparate systems will already stand you in good stead for GDPR compliance.
The fewer points of data collection you manage, the clearer your views into the data you hold, the more streamlined your operations will become and the easier compliance should be. Your ERP solution should also offer benefits of greater functionality, enabling you to control data access permissions and views throughout the strata of your business.
Consent and data erasure
GDPR requires businesses to obtain explicit consent from its customers to remain in contact with them regarding sales and marketing activities. By the same token those very same customers must be allowed to withdraw their consent and they have the right to be forgotten.
Obtaining consent needs to be a simple process that in plain and simple language explains what the customer is agreeing to. The onus is on the business to then be able to, at all times, demonstrate that all of their contacts have provided consent to be contacted and have their data processed, controlled and kept.
As with data security, consent and data erasure are also better managed by having a suitable ERP solution in place. Your solution should be equipped with customer relationship management (CRM) functionality as standard. This allows you to manage contact records, communication history and provides an audit trail of all customer touch points. You can see how your customer has corresponded with you including any calls and meetings and, critically, if you have all of this information in one place, deleting their record on request is straight forward.
GDPR compliance makes your business better
The deadline for GDPR compliance may appear looming, leaving many company executives feeling full of dread. But it has long term benefits because it forces companies to interact with their customers more authentically. The transparency that GDPR enforces will provide both companies and their customers with improved communication.
Companies can expect better lead conversion and customer retention by adhering to GDPR. Employing an ERP solution helps make GDPR compliance easier. It’s a smart move for companies who want to become customer-centric and want to implement data-driven marketing activities.