Roughly half the blogs I’ve written in the last 6 months have been about the GDPR or privacy in general. I could take this as a good sign in that it beats hands-down writing about PCI, but the reasons I write about both of these ‘regulations’ in the first place are two-fold:
- Organisations do so little homework on applicable regulatory compliance that they leave themselves wide open to unscrupulous vendors and consultants; and
- I want to do everything in my power to protect organisations from those unscrupulous vendors and consultants.
From the GDPR’s first release came the “You can get fined 4% of your global revenue!” scare tactics, Now it’s the May 25th ‘deadline’ scare tactics. Millions upon millions have already been spent on vendors spectacularly unqualified to provide GDPR services, and this will continue as long as bullet 1 above remains true.
Therefore, in a series of several blogs, I will attempt to show just how simple GDPR compliance is. That’s right, SIMPLE. Yes, it will likely be bloody difficult, perhaps even expensive (up front), but it is simple. However, while it may be relatively costly in both capital and resource costs, do you really think supervisory authorities expect you to sacrifice the lion’s share of your profits just to achieve GDPR compliance?
Let me assure you that no supervisory authority cares about compliance itself, they care about protecting the human rights of all natural persons. As long as what you do for compliance is APPROPRIATE to the risks inherent in how you process personal data, this will be enough. For now anyway.
As far as I’m concerned not one organisation, regardless of size, region or industry sector, has to perform anything different than the steps I’ll be laying out in this series. The steps are the same, and should always start with the ‘prerequisites’.
GDPR Compliance Prerequisites:
- READ IT! ALL OF YOU! – There is not one person who does business with organisations ‘established in the Union’ to whom the GDPR does not apply. Not one. You are responsible in some way of ensuring other people’s personal data is protected, and you should be aware of your rights when it comes to your own data.
No, the GDPR is not the easiest read, but even a single pass through would remove a significant chunk of the confusion, AND put you in position to ask better questions. NB: This may help – GDPR in Plain English
- Senior Leadership Buy-In – Like everything else, if the top people in an organisation are ignorant and/or ambivalent, so will everyone else be. Even if someone did care, they’d get no support. Your Board of Directors don’t have to be GDPR experts themselves, but they had better take it seriously. The accountability principle will likely attract civil penalties as supervisory authorities write aspects of GDPR into national law.
- Stakeholder Training – This can be as simple as a one day engagement where an appropriate representative of each departmental vertical (HR, Sales, Operations etc.) undergo GDPR training bespoke to their business needs. While you’re not going to get all the way to lawful basis(es) for processing, determination of the appropriate next steps should be relatively straightforward. So should the removal of the fear-factor that has no place in this process.
- Designation of Project Ownership – If you already have a Governance function, this is easy, just give it to them. If you don’t, you will have to assign the initial project to someone with enough knowledge AND influence to be effective. Yes, than can be an external consultant, but it’s much better if they are an internal resource. Or even better, a team of resources.
The list of action items at this early stage are already well defined, the most important one being the rounding up and ‘orientation’ of subject matter experts from each unique part of the business.
- Find Appropriate Legal/Privacy Expertise – Regardless of how much you can do yourselves, unless you already have a qualified in-house resource, you are going to need help. From determining the legal basis(es) for processing, to privacy notices, to contract clauses, parts of your business are going to change. Don’t cheap out and hire a muppet, but don’t get fleeced. Find an appropriate resource to get you through this stage. Just bear in mind there are a LOT of generous experts out there who are making their knowledge and even templates freely available. Use them where you can.
For those of you who have already performed a GDPR implementation engagement, the above may seem like something the tooth-fairy would propose. It’s simply not realistic. And while I somewhat agree, if you don’t at least TRY to put the above in place first why are you even getting involved?
I will admit that you can begin a GDPR project without ANY of the above – that’s next week’s Step 2 -, it’s just significantly more difficult.
Again, the implementation of GDPR is simple, but only if you’re in a position to ask the right questions.
[If you liked this article, please share! Want more like it, subscribe!]