'Tis the GDPR season
Over the past few months, I’ve attended and hosted a variety of GDPR events. I’ve read a lot of articles, documents and supporting information. With GDPR’s final state still being decided, there is a lot of information and advice which may or may not be relevant to your own organisation.
GOOGLE TREND FOR GDPR SINCE NOV 2015
But there were some common themes that everyone can be acting on and I wanted to summarise for those of you unlucky enough not to have attended a GDPR event so far.
There is a lot to achieve by the deadline and I certainly don’t think it's possible to be fully compliant on 25th May 2018 in most cases. Organisations need to evidence they are taking GDPR seriously, and below are 3 keys things you can be doing now, to get your programme underway.
Get senior stakeholder support
GDPR will affect every business in the UK. In recent years, it's difficult to think of another regulation change that will cause as much disruption to the way organisations conduct business. What’s more, due to the use of technology, GDPR will have an impact on every employee in your business. In that sense, the importance of GDPR cannot be underestimated and it’s imperative that you have board level support for your change programme. The harsher penalties that GDPR could bring means this is a change that should be sponsored at the highest level.
Hire a GDPR expert and appoint a Programme Manager
GDPR is quite unique; its impact is massive, yet final details are still being decided by The Article 29 Working Party. EU law is not always known for its brevity, so whilst it’s possible to read the regulations and interpret them, it’s probably a good idea to consult a specialist advisor in data protection. When thinking about the change programme, you’ll need someone to lead this and that might be an internal appointment. It’s not essential to look for someone with previous GDPR experience. I advise clients to look for people who have completed change programmes within financial services, a sector rife with regulatory and compliance directives. Companies in financial services have no option but to comply with regulations in order to continue trading, so if someone has completed assignments delivering change related to regulation, he or she should be ideal for your GDPR programme. A key skill to identify at the interview is how they’ve influenced senior stakeholders in previous roles. Speak to their references to find out how they engaged and then collaborated with internal managers to achieve the programme goals.
Get on with it
Key aspects of a GDPR programme will be to map your data and conduct a gap analysis. In any business, particularly complex organisations, this will take some time. The gap analysis will give you information to then prioritise your risks, and it’s the highest risk you need to address first as time continues to tick away towards the GDPR deadline. However, whilst waiting for a completed gap analysis, you should be getting on with other things to evidence your organisation is working towards GDPR compliance. This could include:
? Establish a GDPR file, to include all your related material
? Identify who will be your Data Protection Officer if required
? Update data protection/retention policies
? Plan your employee GDPR training
? Write your data breach process
? Engage with key suppliers regarding GDPR responsibilities
For more information or help with your own GDPR programme, please don’t hesitate to contact me or listen to our recent webinar :