The digitalisation of business has become an established strategic norm, whether this is via e-commerce or other channels.
For businesses to be competitive, they must maintain a digital presence and adapt their processes to fit. However, by doing this, whether through website or software development, they must also ensure that they are properly compliant.
This need is all the more pressing under GDPR.
The issue is that a digital business may contract development work out to third parties. Are the web or software developers they are using in a position to ensure the digital aspects of their own business are fully up to date when it comes to GDPR?
IT Governance and Compliance
Digitalising their services means many companies are then handling confidential, personal information from customers and other website visitors. They may be using proprietorial software to manage customers and process their data.
Organisations with in-house development resources typically establish IT governance programmes to ensure their use of technology aligns to their business objectives, but also that it is compliant
SMEs, however, may not have these kind of in-house resources at their disposal. They are then much more reliant on outsourced support to develop websites and software.
This can mean they do not have an established framework to ensure best practices.
In this type of situation, businesses must be made aware of their responsibilities, and what outside expertise they may need to ensure they are fully compliant.
What to Watch Out For
There are certain data processing principles under GDPR. These include:
- keeping detailed records of all data processing
- securing personal data
- documenting data protection policies and procedures
- carrying out data protection impact assessments.
Businesses are expected to assign roles and responsibilities in this area, including, where appropriate, a Data Protection Officer. They should also ensure staff are made fully aware of regulations regarding compliance.
They must ensure that their data processing is lawful, and that they follow the rules for gaining consent to collect data.
The rules on obtaining consent are much stricter now. It’s not enough to have any old privacy notice on your website. It must also be clear and unambiguous, and designed in such a way that any website visitor is freely giving their consent.”
If a business has commissioned its own software, this must have data protection and privacy considerations integrated into its design from the start.
For example, many businesses rely on customer relations management (CRM) software, but under GDPR, this needs to have the relevant impact assessments, and it will need to have privacy included in its design.
Are Your Partners and Suppliers Trusted?
Businesses without sufficient in-house resources must ensure they work with trusted partners and suppliers to deliver the digital tools they need to better engage with prospects and customers.
If the work of a third party lets them down, they will still be held responsible, because the handling of sensitive, personal data will be in their name. Operating as a digital business and being compliant must go hand in hand.