“So we know that across the industry, definite answers are quite rare. Answers directly related to how do we interpret GDPR and what we need to do to be compliant are hard to find,” Daniel Jonsson, head of data analysis and project manager of the GDPR compliance project at Mynewsdesk.
We interviewed Daniel who has led the GDPR compliance project at Mynewsdesk to ask him a few GDPR-related questions. Daniel has been working on the project since April 2017. The content team at Mynewsdesk picked his brain to get an understanding of what he has learned along the way, and to see if Mynewsdesk has any words of advice to share.
What is GDPR?
GDPR is the new EU privacy law that goes into effect on May 25th, 2018. It’s a privacy law, in no small extent, that is similar to the privacy laws that EU countries already have in place. It regulates the processing of personal data in organizations. So the main effect of GDPR is that the individual is going to receive better control and better information regarding their data. The emergence of GDPR means that companies need to prepare and make sure that they are complying with the rights of the individual.
When did Mynewsdesk start working on GDPR compliance?
We got started on the first preparations about two years ago. That is when the GDPR work got started on a group level. And at Mynewsdesk we have been running the project since April 2017.
How did the project start?
We got started by assigning a GDPR taskforce, where we had representatives of each department at Mynewsdesk involved. This is to make sure that we take each perspective into account. We also have a bigger project team where each department has their project manager to run their GDPR compliance efforts.
Did we seek external legal counsel?
Yes, we have been cooperating with a law firm since the project started and we also have in-house law support for GDPR related issues.
What were the various steps in the project plan to meet GDPR compliance?
One of the first steps was to do a personal data inventory across the whole organization. This is the central piece of documentation that we use to comply with GDPR. And it has been vital for running the project.
The next step was the legal work in actually defining legal ground, as we call it in GDPR ‘lawfulness of processing.’ So that is when we cooperated with lawyers to determine the purpose of why we are processing data, and to make that clear, and to ensure that we have legal ground for each of our data processing purposes, and to get that documented too. And since then, we have been running projects across the whole organization where we make sure each department makes their specific preparations.
And what are those specific preparations?
It’s often about defining, documenting and implementing routines across the organization. So it’s a lot about making sure that each department process data that is aligned with the ‘lawfulness of processing’, which we have defined, and that the 'data subjects' rights are met.
What do you mean by ‘data subject’?
A data subject is an individual whose data is being processed by a company. And GDPR states some different rights that companies need to meet with these data subjects. For example, we have the 'right to be forgotten' which means that any 'subject' can request their data to be removed if they would want to do that. That is one example you have to take into account as a company when you are going to comply with GDPR.
What do you think will be the most significant challenges for the PR industry?
The PR industry as a whole is affected by GDPR to no small extent. What is interesting here if you look at the polls, some aspects of GDPR are a bit trickier to solve. Some polls say that up to 90% of companies do not have an automated process to comply with the 'right to be forgotten'. So it will be interesting to see how companies are developing services to automate this and basically how companies will be solving questions like that.
Anything else that comes to mind?
Another interesting thing to see is how companies deal with consent and whether consent will be the primary legal basis for companies in general. For a lot of companies, it will be quite burdensome to collect consent for all their data subjects.
Will GDPR affect marketing and advertising more than the PR industry?
In general, the PR industry has less intrusive data processing going on compared to the marketing industry. So in a way, the marketing industry will have to devote a lot of work to make sure they are in fact GDPR compliant. So in a way, I believe the PR industry is in a more comfortable position.
Do you have any words of advice to other organizations?
I think if you look in the industry and talk to companies that are engaged in GDPR projects, the biggest worry I would say are companies that say they are 100% compliant. I think the companies that are doing good work would say: "We are working towards compliance, and we have the roadmap to get there. But, we know we are not 100% compliant at this point."
So is anyone 100% compliant?
There are most definitely companies out there that are. But it is contingent on available resources and the specific challenges each industry faces.
Can you give a tip on GDPR compliance across an organization?
GDPR compliance is a lot about creating awareness across the organization when it comes to privacy-related issues. To make the organizations work in a privacy-first manner and to take privacy into account when you embark on new projects. This is a very important aspect of being GDPR compliant.
How have we been approaching this at Mynewsdesk?
We have been approaching the GDPR project from two perspectives. One is, of course, that Mynewsdesk should be GDPR compliant and we have worked to define and document internal processes needed for that. And the other perspective is also to assist our clients in their compliance efforts. So to help our clients, we have developed small changes in the tool to make sure that we are supporting our clients in their compliance efforts too.
Any last words?
So we know that across the industry, definite answers are quite rare. Answers directly related to how do we interpret GDPR and what we need to do to be compliant are hard to find. But what we need to do is change old habits, create awareness around privacy issues, and work in a privacy-centric way – those aspects are vital for any GDPR compliance project.
As mentioned before, Mynewsdesk has been running the GDPR project for two years, and we are 100% committed to being GDPR compliant. And we have the roadmap and tasks defined to get there.
Watch the interview with Daniel Jonsson here.