Ready for GDPR
May 5, 2018

Ready for GDPR? No? Don’t panic, keep calm & check this now

By Paul Laughlin

The time is almost upon us, are you ready for GDPR? No? Well join the queue.

It seems the norm, amongst the leaders & analysts I meet, to feel under-prepared. Despite what has been a two-year, preparation period, most organisations are not ready.

But, that doesn’t mean you need to panic. As with most challenges in business life, the worst reaction is panic. Whether that is being like an ostrich (with head in the sand, denial), or like a headless chicken (running around achieving nothing).

Ready for GDPR? No? Prioritise

Those organisations whom I’ve helped prepare for GDPR, have firstly needed to prioritise. Let’s be frank, there are a lot of potential issues to get your head around. Even my previous, very high-level posts, on “don’t get bitten on the bum by GDPR“, required two posts for that summary.

So the first step, to avoid being an ostrich or a chicken, is to prioritise where to focus your efforts. Some leaders perform better under last-minute time pressures. So, May 25th deadline should be ideal.

Without offering any legal advice here (which I’m not qualified to do), I suggest that a good place to start is externally. Get your shop window right. This can’t be done in isolation from the planning & checking you can deliver on your promises. But, it makes sense to not have glaring omissions following enforcement deadline.

Almost all GDPR experts seem to agree that an Information Audit is the best place to start. I agree, but would recommend starting by doing one scoped to covering your externally facing risks. Scope just a one day audit to review GDPR compliance gaps with regards to your ‘shop window”.

By that I mean your visible presence (physical & digital) to consumers. Check compliance of all marketing presences, websites & regular communications with regards to:

  • Clarity on legal basis being used for all data processing
  • If require consent, ensure it is proactive, informed & specific
  • If legitimate interest basis, ensure informed those people
  • If required to perform service/product, ensure that is clear too
  • Publish both a shorter Privacy Notice & link to Privacy Policy
  • If not done already, publish clear Cookie Policy (visibly)
  • Ensure all data capture (forms) are compliant
  • Verify whether data subjects are children (or exclude)
  • Provide visible means of data subjects exercising all rights
  • Communicate rights simply & have clear points of contact
  • Delete all data that you cannot justify retaining

Once done, this one-day-assessment should enable you to spot the most obvious ‘own goals‘. Fixing those first makes sense, prior to moving on to a more robust compliance plan.

Ready for GDPR? No? Plan

Having suggested such an external focus, it is essential to also ensure that you can deliver on your promise. Which in this case means comply with your stated policies & data usage.

With so much to remember, it’s important to have a clear plan. Part of what you will need to do is complete the full Information Audit begun above. To focus on internal process, governance, security, people etc. But, you also need to ensure you keep track of what you find.

There is a growing repertoire of GDPRsolution‘ software and broader innovations in RegTech. But, I’d suggest not rushing to invest in a technology solution, until you are clear on your priority gaps. When working with clients, who are preparing for GDPR compliance, I find an Excel spreadsheet can help.

I know that sounds very simplistic, but sometimes you don’t want the tool to distract from the real work. So, I recommend using Excel to record two things. Firstly, your current & desired state against all the aspects that should be covered by an Information Audit. To determine the categories of what you should check, make us of the free diagnostic checklist already published by the ICO:

Data protection impact assessments

Click here for a sample DPIA Template Click here to contact the ICO about your DPIA A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. You must do a DPIA for processing that is likely to result in a high risk to individuals.

Once you have that as a framework for your review, Excel is a great tool for simply recording what you find & what is needed. Given your need to prioritise, I find it helpful to use ‘traffic lighting‘ of the gap you find behind current state & what is needed:

  • Red = a complete gap, urgent work is needed
  • Amber = current solution is insufficient, only partial compliance
  • Green = sufficient to achieve compliance, defensible

For those with the time to be more sophisticated, you may also want to capture urgency, importance & likely cost. Those three dimensions routinely help prioritisation for your planning.

Then, using the project management tool of your choice, log the work to be done in coming months. Although it makes sense to address the ‘Red‘ gaps first, consider how long different tasks will take & any interdependencies. It is often more efficient to intersperse a focus on fixing significant gaps, with shorter pieces of ‘Amber‘ work.

This could all sound blindingly obvious, and I apologise if I’m preaching to the converted, but too few have done this. Combined with fixing the most obvious gaps, it is key evidence for your regulator.

If you are going to be well positioned to answer any challenge from the ICO, ensure you:

  1. Have fixed most visible items (esp in your digital presences & comms)
  2. Have a documented Information Audit to show them
  3. Have a plan of action, that is in progress, to close your gaps

Such evidence will reassure most regulators. However, given frequent mentions of culture within GDPR, there is one other aspect you should not neglect.

Ready for GDPR? No? People (don’t rely on processes)

My past experience, of working with the Financial Conduct Authority (FCA), is relevant here. The FCA is also an outcome focussed regulator, working to ensure ‘good outcomes‘ for clients of Financial Services. A review of their approach, especially past fines, will show how often they have focussed on culture.

Although sometimes treated as all about processes & documentation, managing Conduct Risk is about people. The FCA expects to see customer centric cultures, with evidence of education & governance. These should encourage right behaviour & discourage bad practice (like volume sales targets).

With a similar outcome focus, I would expect the ICO to be looking for evidence of cultural change. How could you evidence that you’ve ensure your senior leaders understand GDPR & all staff are aware? What matters is that people have support to grasp the GDPR theory & apply that to what they do in their day-to-day roles. That is where good quality training can really help.

I’m convinced this will be a growing need, as organisations complete initial remedial work, so I’ve developed such a course:

Whether you choose to use that, or training from another provider, I suggest you invest in such education. Not only will it ensure leaders & workers understand what to ensure/prevent, but it also provides evidence. Being able to show the ICO that you have trained all your managers (or all staff), is the fourth output I recommend.

So, in summary, although there are now only a few weeks to go, I recommend you work towards this evidence for the ICO:

  1. Fixed visible items (esp in your digital presences & comms)
  2. A documented Information Audit (internal & external)
  3. A project plan, that is in progress, to close your gaps
  4. Evidence of staff training, applying theory to day-to-day

Ready for GDPR? No? What are you doing about it?

Given the scale of potential fines (despite reassurances from ICO on proportionality), you may be scared. But, I hope you can see above, even if you feel under prepared, you can still take action. Just start doing that now.

As most companies do feel under prepared, I’d be interested to read  what you have chosen to prioritise. Where are you focussing in the limited time available?

Do you have anything to declare on GDPR?