With the GDPR coming into force on 25 May, organisations are hopefully buried in the detail of determining the legal basis for processing personal data, arguing over how to re-consent their marketing database, or tracking down the last isolated data silo in that department everybody had forgotten about.
If you recognise any of these scenarios then it may be helpful to take a deep breath and remind yourself of what we are trying to achieve. Here are five big ideas to think about:
1. The GDPR is a journey. It is a programme of works, not a project that ends at midnight on 25 May. Even if we have achieved complete understanding of our data, documented everything in sight, and achieved 100% of our staff training objectives the GDPR will require constant attention. Those asset registers, data processing maps and breach reporting logs need to be kept up-to-date. Data processors need to be continually monitored and someone has to keep an eye on an increase in customers asserting their new rights.
2. Do not treat the GDPR in isolation. At London Business School (LBS) we recognise that GDPR-compliance is not just a matter of ticking a few boxes; the regulation demands that you be able to demonstrate compliance with the data protection principles. The GDPR should be integrated into your information governance framework with processes for privacy, impact assessments and privacy by design assessments updated. If your information governance framework is not as robust as it should be, the GDPR provides the ideal opportunity to strengthen it.
3. Adopt a holistic approach. Full compliance with the GDPR requires activities that involve people (training and awareness), processes (accountability and transparency) and technology (will it provide the necessary functionality to support the new data subject rights, for example the right of erasure or of portability). None of this can be the sole responsibility of a single department or team. Finally, what is your organisation’s data telling you? Is it managed according to the six principles of the GDPR, which include purpose, data and storage limitation? Will your carefully-laid plans be betrayed when someone looks under the proverbial bonnet of your personal data holdings?
4. The GDPR requires cultural and behavioural change across the organisation to be effective. The GDPR, as has hopefully been demonstrated already, is not just another bolt-on piece of legislation. If the requirements are to be fully embedded into your organisation everyone must accept responsibility for managing personal data at all levels. Maybe your organisation is already operating at level five (optimising) of your data maturity model, or maybe your change management programme needs to be invoked to support GDPR implementation.
5. Resource and support your GDPR programme. Perhaps it goes without saying that the GDPR needs to be properly resourced to make it work. Resourcing does not necessarily mean throwing money at it. When implemented thoughtfully the GDPR should enable an organisation to gain control over its data processing and so give you a competitive advantage in winning new business by providing assurances to your customers. At a minimum you should be able to demonstrate external compliance with your privacy notices, marketing consent collection forms and processor agreements. If you cannot get those right customers may look at your competitors instead of you.
Now having taken that deep breath it's back to arguing with IT over how you are going to update the organisation’s breach management procedures before May. Good luck to all in your endeavours.
Graham Jennings is data compliance manager at London Business School (LBS)
Want to find out more about GDPR? Register for our webinar in partnership with Sage People on 14 March
