The day of doom has arrived and passed us. Company executives everywhere took a long sigh of relief I am sure, but if you are a member of any compliance, marketing or data protection team, you know that the work has just begun.
Some days it felt like I was in a nightmare, struggling to change processes, but now that it’s all over, I am astounded by what we have accomplished as a team in such short time frames. I wouldn’t ask for another regulation like this, but I have always been pro-GDPR so on the bright side, I was part of a positive change that I believed in and the end outcome is a place I am proud to be.
I can only imagine the varying degrees of work other organizations have gone through in order to be compliant and many that still have a long way to go, but at least the bulk of the work is out the way.
It’s been a hell of ride, so it’s worth taking a minute to reflect on the lessons we have learnt becoming GDPR compliant. I’d love to hear your own experiences and insights about your road to compliance in the comments too. Let’s compare notes!
Auditing and Planning
As daunting a task as it sounds, the best way to plan for implementation is to actually read the regulation. I tried looking for summaries or bullet points but they end up costing you more time as you have to fill in the gaps and you’re always at the mercy of whoever has done the summarizing.
In the end, you have to take the bull by the horns and just sit down and read it from cover to cover. The GDPR is a complex piece of work so the reality is that it took several reads of the more ‘vague’ areas.
Although not strictly mandated by the regulation, it is so important to appoint a DPO within your organization. They not only act as a central point of contact for the GDPR project but also can be looked upon by the rest of the organization as an authority on all data related matters.
A DPO should be responsible for deploying the law to the business, but he will need a team of people to actually implement those policies at a practical level. Where process change is required, an intricate knowledge of departmental procedures is needed and the DPO won’t have that. When selecting a ‘GDPR tiger team’, it’s most valuable to choose somebody from each of your departments so, as the acting project manager, you minimize the number of people that you need to get information from.
Designing the Customer Experience
The customer (i.e. the data subject) is at the very heart of the regulation. After all, it is designed purely to enhance their rights and freedoms. Part of the user experience must be to convey the fact that they are in charge of their data. They own it; we merely borrow it until such time as they want it back.
Of course, there are local law requirements that take precedent (think financial regulations) and industry regulations (think CA/Browser Forum) and there will be processing activities that we cannot avoid and do so in our obligation to perform the duties of a contract. However, that is all back-office stuff and typically of no interest to the consumer. They just want to know that they can manage what communication they receive and that any data they do give us is securely stored and lawfully processed in accordance with their wishes.
Security and Privacy
One of the core principles of the new regulation is privacy-by-design-by-default. What this means is that every data processing activity, every system that you use and anything new that you would like to introduce, whether bespoke or off-the-shelf, must put the rights and freedoms of the data subject at the very forefront of the requirements spec. No longer can you bolt it on as an afterthought. What we did was to sit down with all areas of the business and perform process analysis and tools analysis so that we could map out where our data was coming from and going to. We also performed risk assessments and data protection impact assessments for these activities. This was a very useful exercise for highlighting any areas that needed amending to adhere to the requirement.
Not only a key requirement, but also good practice is staff education and awareness training. Let’s be honest, unless it’s your day job then you’re not going to know the intricacies of the law and what is means to the organization as a whole, let alone your specific role.
This is where focused and applicable training comes into it. The way I approached this was to spend some time giving a general overview of data processing principles, breach impact, etc. and then, per department/role, made it clear how it applied to them. Giving real life, every day examples was key to an understanding and knowledge absorption. It’s a big topic and in reality, quite dry, so it’s important to serve up training in a little-and-often methodology and I always start a session recapping the previous. Just for added fun, an annual exam always throws up some unexpected questions.
The bulk of the regulations are about process and procedure, and ensuring that all of that is adequately documented. As a by-product of that, you also achieve excellent change management as if a process or tool changes, so does the document to reflect this. Of course, technology solutions can really help you achieve some of the core criteria from IAM (to ensure verified access control) to encryption (an explicitly provisioned mitigating factor).
It’s important to remember that there is no one ‘silver bullet’. GDPR compliance is a culmination of all of these components coming tougher and acting as one holistic solution. Articles 28 through 30 parallel the liability between controller and processor, so irrespective of how you’ve positioned yourself with your vendors, business partners and other third parties, if they lose your data you are also responsible.
With that in mind, we took the decision to perform some auditing tasks with all of our third parties to ensure their GDPR compliance/readiness, information security measures and other business practices and if we weren’t happy with the response then we gave some time to put correct actions in place or we served termination notice. Why would you voluntarily put your organization at risk from somebody else’s mistake when you can take preventative measures?
GDPR became enforceable on 25th May 2018 (having been ratified some two years previous). It’s a massive mistake to think once you’ve done all your preparation and you think you’ve got there and the magic date arrives that it’s all over. It’s not – it’s just beginning really.
Now the hard work begins when you have to maintain compliance, keep up everything you’ve worked so hard on over the last two years and, of course, keep business productivity managers happy. It defeats the object if you have the most secure, the most compliant company in the world, if it can’t actually operate.
It goes without saying that your processes will evolve over time as new technology becomes available and it’s a challenge keeping pace with it all. However, when you do, your organization stands out as the one that knows what it’s about, can deliver products and services competently and stakes its entire reputation on its ability to protect what’s most important –the personal data of every employee, customer, and user.