“Answers directly related to how do we interpret GDPR and what we need to do to be compliant are hard to find. So we know that across the industry, definite answers are quite rare,” Daniel Jonsson, head of data analysis and project manager of the GDPR compliance project at Mynewsdesk.
We interviewed Daniel, who has led the GDPR compliance project at Mynewsdesk. Daniel has been working on the project since April 2017. We picked his brain to get an understanding of what he has learned, and to see if Mynewsdesk has any words of advice to share.
GDPR is the new EU privacy law that goes into effect on May 25th, 2018. It’s a privacy law similar to the privacy laws EU countries already have in place. It regulates the processing of personal data in organizations. So the main effect of GDPR is that the individual is going to receive better control and better information regarding their data. The emergence of GDPR means that companies need to prepare and make sure they’re complying with the rights of the individual.
We got started on the first preparations about two years ago. That is when the GDPR work got started on a group level. And at Mynewsdesk, we’ve been running the project since April 2017.
We got started by assigning a GDPR taskforce, where we had representatives of each department involved. This is to make sure we take each perspective into account. We also have a bigger project team, where each department has their project manager to run their GDPR compliance efforts.
Yes, we’ve been cooperating with a law firm since the project started, and we’ve got in-house law support too for GDPR related issues.
One of the first steps was to do a personal data inventory across the whole organization. This is the central piece of documentation we are using to comply with GDPR. And it has been vital for running the project.
The next step was the legal work in actually defining legal ground, as we call it in GDPR ‘lawfulness of processing.’ To achieve that, we cooperated with lawyers to determine the purpose and define why we’re processing data. Consequently, we needed to ensure we’ve got legal ground for each of our data processing purposes and we needed to document it. Since then we’ve been running projects across the whole organization to ensure each department makes their specific preparations.
Defining, documenting and implementing routines across the organization is what it’s often about. Making sure each department processes data aligned with the ‘lawfulness of processing’ and ensuring that the ‘data subjects’ rights are met is critical.
A data subject is an individual whose data is being processed by a company. And GDPR states some different rights companies need to meet with these data subjects. For example, we have the ‘right to be forgotten’, meaning any ‘subject’ can request their data to be removed if they so choose. That is one example you’ve got to take into account as a company when complying with GDPR.
The PR industry as a whole is affected by GDPR to no small extent. What’s interesting are the polls, as some aspects of GDPR are a bit trickier to solve. Some polls say up to 90% of companies don’t have an automated process to comply with the ‘right to be forgotten.’ So it’ll be interesting to see how companies are developing services to automate this and basically how companies will be solving questions like that.
Another interesting thing to see is how companies deal with ‘consent’ and whether it’ll be the primary legal basis for companies in general. For a lot of organizations, collecting consent for all their data subjects will be quite burdensome.
In general, the PR industry has less intrusive data processing going on compared to the marketing industry. So in a way, the marketing industry will have to devote a lot of work to make sure they are in fact GDPR compliant. That said, I believe the PR industry is in a more comfortable position.
If you look in the industry and talk to companies engaged in GDPR projects, the biggest worry lies with companies that say they’re 100% compliant. I think the companies that are doing good work would say: “We’re working towards compliance, and we’ve got the roadmap to get there. But, we know we’re not 100% compliant at this point.”
There are most definitely companies out there that are. But it’s contingent on available resources and the specific challenges each industry faces.
GDPR compliance is a lot about creating awareness across the organization when it comes to privacy-related issues. To make the organizations work in a privacy-first manner and to take privacy into account when you embark on new projects. This is a very important aspect of being GDPR compliant.
We’ve been approaching the GDPR project from two perspectives. One is, of course, that Mynewsdesk should be GDPR compliant and we’ve worked to define and document internal processes needed for that. And the other perspective is also to assist our clients in their compliance efforts. So to help them, we’ve developed small changes in the tool to make sure we’re supporting our clients in their compliance efforts too.
We know that across the industry, definite answers are quite rare. Answers directly related to how we interpret GDPR and what we need to do to be compliant are hard to find. But what we need to do is change old habits, create awareness around privacy issues, and work in a privacy-centric way. Those aspects are vital for any GDPR compliance project.
Again, Mynewsdesk has been running the GDPR project for two years, and we’re 100% committed to being GDPR compliant. Also, we’ve got the roadmap and tasks defined to get there.