With only 100 days before new data protection laws arrive on 25 May 2018, Ryan Wain, chief marketing officer at Unlimited Group, gives business owners a five-step checklist for full GDPR compliance.
There was only so long I could avoid our data protection guy. I did try. I stopped seeing work friends and avoided lunch. I would stay away from key meetings and hover a distance away from the printer, just so I wouldn’t bump into him. My professional life stilted. Until it got to the point when it became inconvenient and a bit weird. And then, hungry, and in need of printing materials, I buckled.
It was finally time for that conversation. I called Dave Wonnacott: our data protection guy. Here’s what Dave told me:
“The GDPR clock is ticking loudly. But when it comes to starting the journey towards compliance, it’s never too late. With focus and a clear plan, GDPR compliance within the time frame is still possible for the many UK organisations not yet ready.
“A staggering 26 per cent of UK companies claim to be less clear on what needs to be done since last year’s Brexit vote or feel (mistakenly) they will not need to comply at all once Britain leaves the EU.”
This is exactly the sort of thing Dave brings to any chat. Important stuff that is crucial to the lifeblood of any organisation. Then, he outlined five steps towards success.
Take a deep breath and don’t panic
While all organisations located in, doing business with, and/or employing citizens of European Union countries will be impacted (this includes UK organisations, as the UK government and ICO have confirmed that the GDPR will replace the UK’s Data Protection Act 1998 from 25 May 2018), the tasks faced by different organisations will vary by their size and function.
The only way forward is to understand how GDPR compliance will affect you, and to do that you will need a clear head.
You will need your management to agree to act now and understand this is likely to require you to do so in co-operation with your clients and your suppliers. Although primary responsibility for compliance lies with “data controllers” (those making decisions about data gathering and processing), unlike current data protection law, GDPR also includes statutory obligations to “data processors” (those contracted by a data controller to process data).
Secure stakeholder buy-in, then outline the parameters of the project
Becoming GDPR-compliant will require a lot of work, and this needs organisation-wide support. A powerful motivator is to address it as an insurance policy – an essential project to undertake in order to mitigate the risks associated with failing to protect and secure data under the new legislation further down the line.
Carphone Warehouse’s £400,000 fine, imposed last month by the Information Commissioner’s Office after hackers gained unauthorised access to the personal data of more than three million customers and 1,000 employees during a cyber-attack in 2015, is a powerful cautionary tale. Also worth bearing in mind is a recent report estimating that ICO fines in 2016 would have shot up from £880,500 to £69m if GDPR had been in force that year.
An important decision at this point is to give someone overall, cross-departmental responsibility for building compliance rather than simply allocating the task to the IT or legal departments. Someone with past experience of day-to-day data processing activity but without any specific vested departmental interest, for example, is well-positioned to know who in an organisation to ask about what data exists, and where that data might be.
A roadmap will also be needed so everyone can see where the project is heading, with key milestones and measures to assess and, where appropriate, reward its progress.
Undertake an organisation-wide data audit
By doing this you will understand and identify what data you have, where it is and how it is being used.
Distinguish between personal and non-personal data, identify its use, the processes applied to it and the legal considerations. This does not have to mean line-by-line data analysis – where they can be, different data sets can be grouped together.
But you will need an understanding of all the different data sets you have for the transparency and accountability needed to demonstrate as part of GDPR compliance.
Inevitably, you will find data that’s years’ old and no longer needed. If you decide this poses a compliance risk, deleting it delivers immediate benefits.
Catalogue the results of your audit
Rather than use a spreadsheet, our business, Prophecy Unlimited, implemented a wiki, enabling details gathered by many different people within the business to input and share simultaneously.
Take a look at our GDPR resources
The key here is to ensure the information you enter is simple and accessible and to reveal any gaps. The advantage of a wiki is it provides a live tracking resource that is easily updatable moving forwards. The GDPR requires that your compliance documentation is kept up-to-date, so whatever method you use to store your audits they should be able to be part of a process to keep it live.
Address and fill the gaps in your data audit
If there’s an item related to the data, its processing or purpose, or the consent you can’t locate or show is compliant, these are the things you need to sort out first. Close your gaps and you’ll have a firm foundation going forwards.
Throughout this compliance process, it is essential to involve as many people within your organisation as you can. In our business, we make sure everyone – from data specialists to receptionists – is given the same data protection training because failure in compliance is much more likely to result from human error than a faulty automated system or process.
Possibly the most important consideration is to avoid viewing GDPR compliance as a process with a hard and fast end point. Rather, it will be an on-going journey as you gather and process new data moving forward. It is important to put in place a clear plan and process that is demonstrable and transparent, because it will be those unable to demonstrate that they’re progressing towards GDPR compliancy who stand the greatest risk of censure by the ICO.
These five steps won’t make you compliant, but they are essential to the journey. Do these first, and you’ll know everything you need to know to put the remaining GDPR requirements in place; you’ll have a clear view of what data you can keep, what processes are missing, and where you have to update your language and consents.
Above then, are my learnings from Dave, drawn from the past 18 months he has been working on GDPR compliance both within Prophecy Unlimited and the 25 other specialist businesses that make up the Unlimited Group.
For those still struggling with where to start, the message is simple: when it comes to beginning the journey towards GDPR compliance, it’s never too late. So, don’t be like me. Don’t put off talking to your data protection officer. Instead, get started on your data audit and gap analysis, now.
Let your compliance journey commence.
Ryan Wain is chief marketing officer at Unlimited Group
Sign up to our newsletter to get the latest from Business Advice.