Last week, we held our first training session with partner 360Suite entitled ‘GDPR: Practical Steps to Becoming and Remaining Compliant’. We ran the event with our new partners as both our companies are getting questions from customers about the changes in data protection regulation. Red Olive and 360Suite both see the legislation as a powerful opportunity for businesses to ensure they are being compliant with the law, but more importantly to check that they are using data in the most powerful way. Although we are past the deadline for GDPR to come into practice, all companies need to remain compliant, so for all businesses – no matter their size or in which industry, GDPR work continues.
We spoke to Jefferson Lynch, Client Director at Red Olive and Patrick Perrier EMEA Director – Analytics Centre of Excellence at 360Suite about the current situation and challenges SMEs are facing with GDPR.
Why have you decided to partner?
JL: There is a lot of synergy in our approach to data management and our target customers. Both of our companies see technology as an enabler but at Red Olive, we tend to take a broader business approach to looking at data when working with customers. 360Suite is really focused on helping SMEs using Business Intelligence (BI) more effectively with a suite of tools that offer an added layer of functionality for customers using SAP Business Objects. Both companies are advising customers to take a defensive approach to GDPR to ensure they are becoming and remaining compliant.
PP: We can see there is a gap in the market for SMEs who are using BI but who need a more dynamic way of getting an overview of their data performance. For us, working together with Red Olive to provide a solution was a no-brainer as our solutions dovetail to provide a broader, solid offering.
You’re both seeing GDPR as an enabler – what are the biggest challenges you see customers facing?
JL: Depending on the company, this can vary dramatically. With GDPR, the regulations can be interpreted by each company individually. With the work we have been doing with clients over the past 18 months, we have seen how these interpretations can differ dramatically. Same regulation but completely different business processes in place depending on the company’s risk evaluation and whether they are a B2C or B2B company.
I think one of the challenges businesses are facing is which approach they should take and also where do they start. Red Olive has worked with a number of organisations on their GDPR preparations, and with the aim of helping others benefit from what we have learned. We have captured our findings in a memorable six-step process which we call ‘SHIELD’ to help our clients develop a GDPR strategy and implement it. With SHIELD, we can help them quickly evaluate their current position and where they want to be through a series of steps. This is where working with GB&Smith is great as some of these tasks are looking at technology and dashboards to get a snapshot of data and business performance.
PP: That’s true – we have a 10-step process which encourages investigation, execution and constant review and by running through this with customers, they can see how they can apply this information to the wider data strategy that Red Olive is recommending. The biggest challenge we see customers facing is when they realise how much data they are holding in different silos and technologies, with quite often, no overall dashboard to get a full picture. The investigation process is always enlightening but sometimes can be quite stressful, throwing up a lot of questions and concerns. As well as helping to destress, we actually find these questions and concerns quite helpful as it means we can ensure we are helping to put adequate systems and processes in place for the future, which really meet a customer’s needs.
For someone who has been given the role of data processor or data controller and who has little experience of working with data, what are your top tips for thinking about data management?
JL: Who has access? Who needs access to your different data types. The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the Data Protection Act (DPA), that is, the controller says how and why personal data is processed and the processor acts on the controller’s behalf.
If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under GDPR. However, if you are a controller, you are not relieved of your obligations where a processor is involved. GDPR places further obligations on you to ensure your contracts with processors are compliant.
PP: We recommend you don’t panic. Instead, ask yourself the following questions and see where you are – or get in contact and we can help!
- What personal data does it contain?
- Where are personal data stored?
- What is the lifecycle of personal data?
- Who has access to personal data? Who uses this access?
- What records are kept of processing activities related to personal data?
- How are personal data processed?
- What safeguards are in place to secure personal data?
- How long are personal data retained? How can they be erased?
- Where are the users located (e.g., in what countries)?
There is a lot to think about and specific challenges for SMEs – where would you recommend they start?
PP: Use technology wisely. Really think about your business needs and ensure you are using the right technology for them. No matter what system you use, (whether it’s Business Objects or not), make sure you have dashboards that let you see what is really going on in real-time. If you are using Business Objects, make sure you are using tools like our 360Suite that provide in-depth visibility into how you have deployed your data management including, critically, how to document data flows to achieve and maintain compliance – and to prove it to auditors.
JL: I would recommend thinking about your broader business goals. What can you learn about your business while implementing new processes? The primary aim of SHIELD is to ensure that once a company becomes GDPR compliant it is able to remain so, but it also acts a great way to investigate the data you already hold. If you are really struggling with GDPR, or getting a true picture of your business’ performance, get in contact or ring us on +44 1256 83 11 00 and find out how we can help you.
More about Jefferson
After joining Unilever as a graduate, Jefferson became a Chartered Management Accountant and rose to become Unilever’s European Data Warehouse Programme Manager before moving into consultancy. Initially a partner in an established Business Intelligence consultancy, in 2010 he started Red Olive in order to promote an ethically enabled Data Consultancy. Jefferson has more than 20 years’ experience in the fields of Analytics, Data Mining and Data Management working with a wide variety of leading organisations. The underlying theme of Jefferson’s and Red Olive’s work has always been to add value through better exploitation of the information and data organisations already hold.
More about Patrick
Patrick Perrier is passionate about helping companies maximise their SAP BusinessObjects investment with complex issues such as regulation, migration, and administration. He has over 17 years of experience in Business Intelligence, starting back when he worked at Crystal Decisions and then Business Objects. More recently, he has held roles including Head of Technical Architecture, BI, and Training.