GDPR is only weeks away… keep calm and carry on

Mark Humphries, Business Consultant, Civica considers the next best steps...

Almost every day I receive emails or letters asking me to read revised privacy policies, update my privacy settings or renew my consent. There’s a sudden flurry of activity on the General Data Protection Regulation (GDPR) front as everyone scrambles to put everything in place for the 25th May 2018 deadline.

But what if you don’t think you’ll be ready in time? What if you still have questions about what is and isn’t allowed under GDPR? Are all your suppliers GDPR compliant? And if they’re not, how would you know? How can you make sure that everyone in your company is respecting GDPR? What if there’s something that nobody has thought about? And all the other ‘what ifs’ which spring to mind?

The reality is that many companies will not be fully compliant with GDPR on 25th May. And it could be argued that formal compliance isn’t really achievable. GDPR is not an exhaustive list of what is and isn’t allowed; it’s a principle-based, legal framework, not a prescriptive recipe. Compliance is something that companies are expected to demonstrate by following the principles, not achieved by following a checklist of do’s and don’ts.

Like any problem which looks too big and scary to face, the key is to break it into manageable chunks, set priorities and work methodically through the list, confident that you are doing the most important things first.

The most important aspect of GDPR is figuring out who is responsible for what. GDPR is not just an IT issue, and the Chief Information Officer is not solely responsible. The board is responsible for data protection, which was always the case under the Data Protection Act (DPA). Anyone who is not convinced should watch TalkTalk’s CEO Dido Harding being grilled by a parliamentary committee on parliament.tv.

A core team for delivering GDPR compliance needs a good project manager; someone who understands GDPR (and preferably someone who gets data governance) plus involvement from legal, HR, IT and internal communications teams. But the real engine of any GDPR compliance project are the operational employees who keep your business running day- to-day. These people know how your business uses personal data and what happens to it.

This is important because the second priority is to have a complete picture of what you actually do with personal data. The absolute core of GDPR preparation is getting the answers to the following six questions:

1.  What personal data do you collect?
2.  Why do you need it?
3.  What do you do with it?
4.  Who do you share it with?
5.  How do you secure it?
6.  What do you do with it when you no longer need it?

As a data subject, I think it’s reasonable for me to ask these questions of anyone who holds my personal data. If you can’t answer these questions, then you can’t write a privacy notice that is accurate, you won’t be able to process a Subject Access Request and you’ll struggle to explain why you can’t process a Request for Deletion. You also run the risk of appearing negligent in the eyes of the Information Commissioner’s Office (ICO) if they should subject you to an audit. Under DPA, the ICO has handed out the largest fines for systematic abuse of personal data or for negligence.

Answering these six questions is a very good place to start. If you can’t answer them confidently, then confirmation from your Customer Relationship Manager system supplier that their system is GDPR compliant is meaningless.

Once you have the people in place and have attempted to find answers to the six questions, you will have a pretty good idea of what needs to change and why. It will probably be a long list which needs to be prioritised according to risk. What is the likelihood of the associated risk, what would be the impact if it materialised and over what timescale might it occur? Once you have the prioritised list in place, or the ‘GDPR backlog’, you have your plan to work through, one logical step at a time. So if you’re not compliant by the deadline but can show you have a credible team in place, demonstrably working to a realistic plan which prioritises outstanding changes according to the risks that they pose, you’ll be in good shape to face the challenges and opportunities to come.