Procurement 19 February 2018

Five steps towards GDPR compliance within the next 100 days

The data protection bill will cover General Data Protection Regulation (GDPR)

With only 100 days before new data protection laws arrive on 25 May 2018, Ryan Wain, chief marketing officer at Unlimited Group, gives business owners a five-step checklist for full GDPR compliance.

There was only so long I could avoid our data protection guy. I did try. I stopped seeing work friends and avoided lunch. I would stay away from key meetings and hover a distance away from the printer, just so I wouldn’t bump into him. My professional life stilted. Until it got to the point when it became inconvenient and a bit weird. And then, hungry, and in need of printing materials, I buckled.

It was finally time for that conversation. I called Dave Wonnacott: our data protection guy. Here’s what Dave told me:

“The GDPR clock is ticking loudly. But when it comes to starting the journey towards compliance, it’s never too late. With focus and a clear plan, GDPR compliance within the time frame is still possible for the many UK organisations not yet ready.

“A staggering 26 per cent of UK companies claim to be less clear on what needs to be done since last year’s Brexit vote or feel (mistakenly) they will not need to comply at all once Britain leaves the EU.”

This is exactly the sort of thing Dave brings to any chat. Important stuff that is crucial to the lifeblood of any organisation. Then, he outlined five steps towards success.

  1. Take a deep breath and don’t panic

While all organisations located in, doing business with, and/or employing citizens of European Union countries will be impacted (this includes UK organisations, as the UK government and ICO have confirmed that the GDPR will replace the UK’s Data Protection Act 1998 from 25 May 2018), the tasks faced by different organisations will vary by their size and function.

The only way forward is to understand how GDPR compliance will affect you, and to do that you will need a clear head.

You will need your management to agree to act now and understand this is likely to require you to do so in co-operation with your clients and your suppliers. Although primary responsibility for compliance lies with “data controllers” (those making decisions about data gathering and processing), unlike current data protection law, GDPR also includes statutory obligations to “data processors” (those contracted by a data controller to process data).

  1. Secure stakeholder buy-in, then outline the parameters of the project

Becoming GDPR-compliant will require a lot of work, and this needs organisation-wide support. A powerful motivator is to address it as an insurance policy – an essential project to undertake in order to mitigate the risks associated with failing to protect and secure data under the new legislation further down the line.

Carphone Warehouse’s £400,000 fine, imposed last month by the Information Commissioner’s Office after hackers gained unauthorised access to the personal data of more than three million customers and 1,000 employees during a cyber-attack in 2015, is a powerful cautionary tale. Also worth bearing in mind is a recent report estimating that ICO fines in 2016 would have shot up from £880,500 to £69m if GDPR had been in force that year.

An important decision at this point is to give someone overall, cross-departmental responsibility for building compliance rather than simply allocating the task to the IT or legal departments. Someone with past experience of day-to-day data processing activity but without any specific vested departmental interest, for example, is well-positioned to know who in an organisation to ask about what data exists, and where that data might be.

A roadmap will also be needed so everyone can see where the project is heading, with key milestones and measures to assess and, where appropriate, reward its progress.

__________________________________________________________________________________
Uber leak

 

Uber data leak could have earned £17.75m fine under GDPR

After taxi app Uber concealed a data breach affecting 57m of its users, experts suggested the company would have faced the harshest GDPR penalties.

__________________________________________________________________________________

  1. Undertake an organisation-wide data audit

By doing this you will understand and identify what data you have, where it is and how it is being used.

Distinguish between personal and non-personal data, identify its use, the processes applied to it and the legal considerations. This does not have to mean line-by-line data analysis – where they can be, different data sets can be grouped together.

But you will need an understanding of all the different data sets you have for the transparency and accountability needed to demonstrate as part of GDPR compliance.

Inevitably, you will find data that’s years’ old and no longer needed. If you decide this poses a compliance risk, deleting it delivers immediate benefits.

  1. Catalogue the results of your audit

Rather than use a spreadsheet, our business, Prophecy Unlimited, implemented a wiki, enabling details gathered by many different people within the business to input and share simultaneously.

The key here is to ensure the information you enter is simple and accessible and to reveal any gaps. The advantage of a wiki is it provides a live tracking resource that is easily updatable moving forwards. The GDPR requires that your compliance documentation is kept up-to-date, so whatever method you use to store your audits they should be able to be part of a process to keep it live.

  1. Address and fill the gaps in your data audit

If there’s an item related to the data, its processing or purpose, or the consent you can’t locate or show is compliant, these are the things you need to sort out first. Close your gaps and you’ll have a firm foundation going forwards.

Throughout this compliance process, it is essential to involve as many people within your organisation as you can. In our business, we make sure everyone – from data specialists to receptionists – is given the same data protection training because failure in compliance is much more likely to result from human error than a faulty automated system or process.

Possibly the most important consideration is to avoid viewing GDPR compliance as a process with a hard and fast end point. Rather, it will be an on-going journey as you gather and process new data moving forward. It is important to put in place a clear plan and process that is demonstrable and transparent, because it will be those unable to demonstrate that they’re progressing towards GDPR compliancy who stand the greatest risk of censure by the ICO.

These five steps won’t make you compliant, but they are essential to the journey. Do these first, and you’ll know everything you need to know to put the remaining GDPR requirements in place; you’ll have a clear view of what data you can keep, what processes are missing, and where you have to update your language and consents.

Above then, are my learnings from Dave, drawn from the past 18 months he has been working on GDPR compliance both within Prophecy Unlimited and the 25 other specialist businesses that make up the Unlimited Group.

For those still struggling with where to start, the message is simple: when it comes to beginning the journey towards GDPR compliance, it’s never too late. So, don’t be like me. Don’t put off talking to your data protection officer. Instead, get started on your data audit and gap analysis, now.

Let your compliance journey commence.

Ryan Wain is chief marketing officer at Unlimited Group

Dave Wonnacott is chief data protection officer at Prophecy Unlimited

Sign up to our newsletter to get the latest from Business Advice.


 
TAGS:

Q&A

If you’ve found the article above useful, but have a more detailed and bespoke question, then please feel free to submit a query to our expert. We at Business Advice will get in contact with them on your behalf and arrange for a personalised response. These questions and answers will then be collated on the site for any other readers who have similar queries.

Ask a question

HR