How to Create Business Value While Ensuring GDPR Compliance. The Altitude Case Study

Altitude is committed to create value for its customers while executing on its own European General Data Protection Regulation (GDPR) compliance program. Companies can miss that there are benefits from a GDPR program. For Altitude it is an opportunity to build customer trust, improve customer relationships, establish better data controls, and improve internal data handling and availability. A GDPR program can be an opportunity to embark on a wider data transformation that will benefit the whole business.

In this context, Altitude has also committed to being GDPR compliant and introduce “Privacy by Design” features and capabilities across its services and solutions. The goal is for customers to be able to leverage Altitude’s portfolio of products and services to manage and control personal data to meet their GDPR obligations around difficult issues like accessing, protecting, exporting or importing data.

Because the GDPR is based on principles rather than rules, the onus is on individual companies to determine implementation in their particular context. This process is uncertain, and many companies are struggling to understand how can they best interpret, measure, and monitor compliance.

In this context, Altitude has identified and executed a number of actions that contribute to a successful GDPR effort. Check whether your organization is already taking these steps.

• Ensure ownership. Altitude’s senior leadership approval and buy-in was vital in ensuring that the program was securely anchored in the company’s overall strategy. The challenge of ensuring compliance requires an approach that cuts across functions and business units. All the teams involved—legal, marketing, IT, R&D, and others— committed, and shared responsibility for a roadmap for change.
• Develop an interpretation of the requirements. Altitude brought in external consultants for an early assessment and to develop the most likely scenarios for the company, taking the industry view into account, and achieving a balanced view of the impact of regulation.
• Build an inventory of all personal data processing activity. Altitude developed a clear definition of its enterprise architecture and an inventory of where all personal data it holds comes from, what is done with it, what are the legal grounds for processing it, and whom the data are shared with. The company mapped all the activities that use personal data and got its owners to provide all the details about the data processing.
• Identify the uncertainties and any unacceptable risks. Working with external consultants, Altitude identified all the activities and actions necessary to ensure compliance in areas such as legal, cybersecurity, application development, operations, etc, coming to a shared understanding of what it really needed to do in order to minimize reputational risk, maintain customer trust, and avoid last-minute issues.
• Determine what should be ready for May 2018. Altitude built a roadmap that identified which aspects of the regulation and which data assets were critical to compliance and made them a priority. This means understanding legal requirements, defining what risks the business is willing to accept, and what value it seeks to extract from the GDPR compliance effort.
• Develop an organizational setup for data protection. It now has an organizational setup for GDPR with relevant managers from different areas. This team is working in the definition of the processes and procedures required for the DPO function.
• Extend processes to partners and suppliers. Altitude is creating processes and procedures to ensure that partners and suppliers are GDPR compliant in relation to Altitude and to ensure customers of Altitude’s compliance to GDPR.

The steps above will help any organization get on the right track to meet the implementation date. Organizations that fail to comply could face high fines, legal actions and reputational damage, while failing to capture additional business flexibility and value. Treat the new regulation as a high priority for the whole organization and as an opportunity to create value for your business.