General Data Protection Regulation – where should you start?

This is a guest article written by Craig Clark. The author’s views are entirely his own and may not reflect the views of IT Governance.

Within the information security and privacy space, the GDPR and its many and varied implications have been under discussion for some time. Outside this arena, though, the GDPR has taken time to reach the attention of a wider audience. Now, with significantly less than two years to go before enforcement, it seems that the GDPR touch paper has been lit, and many organisations are beginning to worry about its wide scope and how best to achieve compliance before the enforcement date of 25 May 2018.

While GDPR compliance will be a challenge, the good news is that it is not as scary as it first appears, mainly because many current data protection and information security practices can be transposed into GDPR compliance, allowing a greater focus on the new requirements.

Below are five key steps to getting your GDPR compliance activities up and running, and some advice for making the most of the remaining time to maximise the chances of achieving compliance.

Step 1: Get the basics right

Fundamental to achieving GDPR compliance is laying foundations that will serve your organisation well in the months and years ahead. The best way to do this is to become very familiar with and a regular visitor to the Information Commissioner’s Office (ICO) webpages on data protection reform, which can be found here. As with the current Data Protection Act, the ICO will act as the lead supervisory authority for the GDPR. The benefit of this is that the ICO is producing a wealth of updated GDPR-specific guidance to help organisations comply. As a starting point, I recommend looking through the 12 steps to take now document, which gives a handy breakdown of what organisations should be doing to tackle compliance.

Once you have read the 12 steps, you should look at putting a copy in the hands of the people responsible for the organisation – in other words, get the GDPR on the C-suite’s radar. Make no mistake, the GDPR is not a one-resource task. It’s going to take time and commitment. The sooner that this commitment can be secured, the sooner you can move onto step 2. The C-suite will likely have many questions and this is your chance to answer them. There are plenty of posts out there for you to use, but it is important to focus on the positive impact of the GDPR rather than the negatives.

Step 2: Establish a GDPR project

Once the decision-makers understand the impact of the GDPR, you should be seeking to establish a formal GDPR project. As a minimum, the project team should consist of key stakeholders such as heads of departments, representatives from your legal and governance functions, finance and human resources. It is important to remember that the GDPR project will inevitably involve some tough decisions, and will encounter a number of pain points along the path to compliance, so I also suggest that senior management either sit on the project board or, as a minimum, ensure the project mandate has the authority to make the tough decisions and allows the project manager to follow them through.

Step 3: Set the milestones

As with every project, success or failure often depends on effective management. The GDPR is no different. It’s big and it’s complex, but it’s a project all the same. By setting milestones and dates for the key deliverables, you can build the activities around a framework. Some key areas that can be considered milestones may include:

  • Identifying current and new types of personally identifiable information
  • Delivering a GDPR awareness programme
  • Managing subject access requests
  • Gaining consent and handling removal of consent
  • Appointing a data protection officer
  • Reporting and handling breaches
  • Updating privacy notices
  • Performing effective privacy impact assessments

Once you have effectively delivered these elements, you can be confident that you are well on the way to achieving compliance.

Step 4: Leave yourself time to evaluate

Many organisations are putting a big red circle around 25 May 2018 as the date by which they must be compliant since this is the date that the GDPR will be enforced. What organisations need to bear in mind is that the GDPR will require a number of new policies, procedures and processes that will take time to embed into business-as-usual activities. The easiest way to ensure a smooth transition is to test the new aspects of GDPR with multiple ‘what if’ scenarios in order to identify and fix the gaps that will inevitably arise. To ensure a smooth run to compliance, I suggest beginning the evaluation phase in January 2018 to make sure that any glaring issues can be rectified before May.

Step 5: Ensure GDPR becomes business as usual 

While the GDPR can be considered a compliance project in the short term, the objective is to build compliance into everyday practice. While this sounds obvious, many organisations are focused on getting to a position of compliance rather than how to ensure ongoing compliance in a post-2018 landscape. This should be a crucial element of your wrap-up and evaluation activities. While I fully anticipate that the Information Commissioner’s Office will be understanding about the complexities of compliance, there will come a point that GDPR practice will be expected and auditable. When that time comes, everyone should be working within the GDPR framework for compliance laid down by the project team.