With only 10 months remaining before the GDPR deadline, businesses are urged to start taking action to ensure they can demonstrate the technical operational measures necessary to meet the 25 May 2018 deadline. Six key steps will guide you through the process of achieving the new regulation terms
I was recently at a Fintech event speaking to a room of 150 delegates about GDPR readiness. The first question I open with is “who has heard of GDPR?” Not surprisingly, everybody raised their hands (probably due to the fact that there has been no shortage of information on the EU regulation). The second question I ask is “who is actively doing anything about GDPR?” Out of 150 people, I counted only 10 hands raised. This on-the-spot survey is consistent with a recently published article by Gartner entitled “Top 5 Priorities to prepare for EU GDPR,” where it states 50 percent of organisations will fail to comply with the GDPR. An IT governance paper entitled “General Data Protection Regulation (GDPR) Report” also backs up this statement. It surveyed over 250 professionals globally and concluded that only 50 percent of businesses are doing anything towards being compliant with the EU regulation. The report also highlights that the average budget that organisations have assigned to GDPR is £5000 and existing staff members have been appointed to carry out the DPO role.
The EU regulation poses a significant challenge for most businesses because no standard exists to support the regulation. Over the years, I have implemented ISO frameworks, and PCI DSS, environments and although these can be challenging, there is a clear set of prescriptive requirements that you need to meet. If you consider that, the GDPR regulation consists of 99 articles and 177 recitals all written from a legal perspective, which is a huge amount of material, making it very hard to digest. Now if we apply a £5,000 budget to the task of compliance and focus on poor Julie from accounts who has recently been promoted to DPO we can see why businesses are finding it difficult to know how to put the right frameworks in place to deal with the problem.
With only 10 months remaining and the heavy sanctions which the EU can place on your business, the risk of doing nothing far outweighs the risk of doing something. However, what should you do in order to meet the regulation by 25 May 2018? It is clear that GDPR is leaning towards international standards such as ISO 27001, Personal Information Management System (PIMs) and BS 10012, but not all businesses have these in place. The following steps will guide you through the process of achieving compliance with GDPR.
Step 1- Add GDPR to your corporate risk register. The potential of being fined of up to 4% of your global turnover or 20 million euros (whichever is highest) and suffering reputational damage to your business means that the number one risk to your business right now is whether you are going to achieve compliance with GDPR by the May deadline.
Step 2 – Add GDPR as an agenda point within the boardroom. 68% of boardroom members are aware of GDPR. However, there is nobody taking ownership and driving compliance at this level. GDPR requires a top down approach as decisions must be made regarding budgets, people and organisational changes. Without this input and resorting to the appointment of somebody internally at mid- management level, there will not be the support required to implement the framework.
Step 3 – Create a governance team. Within your organisation Personal identifiable information (PII) may flow through all departments including HR, Accounts, and the IT department. Each department will have its own manager. Therefore, it is fitting to appoint these managers to form the governance team. They will be able to drive operational process, policy and procedure through their respective departments and create the necessary awareness through their teams. At this juncture, you may also require the services of a consultant or DPO to outline their responsibilities and tasks. A RACI model is ideal to map key individuals to GDPR tasks in order to drive compliance through the business. Checkpoint meetings thereafter will help discuss progress and mitigate risk.
Step 4 – Privacy by design. Where you store, process or transmit PII you must align to the six principles of GDPR. The first task of the governance team should be to understand where PII flows through your business. Once you know what information you hold and where that information is held you can design your controls and systems according to the six principles. Depending upon the knowledge within your business, you may require certain third party applications or tools to help you discover this information and report on the status of this information. This is a crucial step as it helps you think about how PII information is handled within your organisation and ask the right questions such as how have you gained consent, do you have purpose limitation for the information you hold, is the data accurate and stored for only as long as it is needed?
Step 5 – The enhanced rights. GDPR sets out eight enhanced rights for EU citizens. You will need to ensure your business clearly understands the rights and your accountabilities. The rights protect EU citizens and there are specific timelines where you may need to relay information or certain actions must be taken if a right is invoked. The team need to underpin these rights with the correct policy, process and procedures. As with any new policy or procedure, the right level of release management needs to take place within your organisation so that the business is aware of what responsibilities have changed. Training and awareness will be an important part of ensuring that the policy, process and procedures work successfully within your business.
Step 6 – Know your role. As well as the enhanced rights you also have extended accountabilities placed upon you whether you are a data controller or data processor. For instance, it is the responsibility of the data controller to notify the relevant statutory authority within 72 hours of a breach and provide sufficient guarantees that the data processor can process information on behalf of the controller. Similarly, as a processor you cannot contract out your responsibilities or duties because you are directly bound by the regulation. With this in mind it is vital that you understand your accountabilities and the role you play and that you put in place the necessary legal contracts and procedures to adhere to the regulation.
These simple steps will help you to build the framework required to meet compliance. By highlighting the risks to your business and providing a top down senior management approach, you will have the key stakeholders and decision makers to drive GDPR throughout your organisation. The governance team will play a vital role in developing the framework and aligning operational process, policy and procedure to the regulation. Understanding the data you hold, applying the six principles of GDPR to that data whilst accommodating for the eight enhanced rights will pave the way to compliance. The role your business plays may need legal consideration in terms of customer and supplier contracts to meet your obligations under the regulation.