GDPR & Your Cloud Supply Chain
Blog authored by Ian Moyse.
Yes, yet another GDPR content piece. Bored yet? GDPR as I predicted is appearing daily in article, blog, tweet, news item and more and will increase as we approach the May 25th deadline where this becomes an enforceable law.
Are you a Cloud Vendor (as we are at Natterbox), or a customer of a cloud platform? Do you act as a data Controller or a Data processor? What difference does this all mean and what has changed?
Those who have realised the implications and liabilities of GDPR and who have started to act, will have quickly also realised that this extends not only internally, but externally.
Everyone who needs to be GDPR compliant, let’s be honest that is most firms, should have started their process long before now, but many have not or have only performed less than should have been achieved at this date, being so close to the enforcement.
What is driving some firms already, is the realisation that they are being asked by customers for GDPR compliancy statements, questioned where they are in their process and being asked to provide a GDPR statement within RFI, RFQ and ITT responses.
You need to furnish your business and teams to be in a strong aligned position with GDPR, both in terms of the compliancy of your own business and also that of any solution you may be providing your clients. Is your product or service relevant to GDPR, does it positively or negatively affect the clients GDPR position? Your team needs to know how they should answer customer questions around GDPR accurately on both counts.
Where is your GDPR public statement as a minimum (by the way, Natterbox’s GDPR public statement can be found here), what verbiage should they use in customer proposals and who is your internal go to person when they need further help or guidance?
From a Sales and Marketing perspective, you might feel GDPR is a pain, not your issue and one for the backroom boys to sort out. Wrong! GDPR will hit Marketing and Sales squarely between the eyes and quickly. How you treat customers data, how you use it and behave will all reflect on your GDPR profile. Whether what you sell has any alignment at all, you as a business certainly must know your stuff around GDPR.
In terms of GDPR being verbally discussed with clients, do you know what and how your employees are replying? If a customer gives consent verbally for their data to be used or logged, how do you capture this proof? Simply making a note in a CRM that ‘Sue said okay to add her to marketing list A’ will no longer be enough, you need evidence of consent. Electronically, such as through email or a web site this is invariably captured, but verbally?
We are already seeing an increased discussion on the call recording function, businesses recognising the benefit of having these easily at hand against a customer record, not only for training purposes, but increasingly to aid compliance.
So, for GDPR the time is now, get your act together, consider what tools your team requires both from information and technology and quickly be put them in place. It has been made clear by the authorities that negligence will certainly not be a defence should you fall foul to a breach or raft of citizen complaints and as awareness of individuals rights and power grows we can all expect customers to start to invoke them.