How to get GDPR Compliant?
Become GDPR Compliant?
GDPR compliant product?
Scott Nicholson, Delivery Director
If you are reading this, it’s because the title either enraged you, or you believe there is a way to become GDPR compliant. If you’re in the former camp, it’s likely due to you knowing that quotations like becoming GDPR compliant are attractive to potential customers, but not necessarily the right message to be portraying. Data protection is a continual, iterative endeavour. It often involves a level of transformation across the organisation, requiring improvement to the way you process and handle data, whilst embedding roles and responsibilities to operate and manage data protection activity going forward.
Unfortunately, a lot of the conversations we have with clients or vendors involve them trying to sell us something that is ‘GDPR Compliant’ or ‘GDPR Certified’. This is something that appears as an early warning sign that either the company doesn’t understand GDPR/data protection, or they are using it as a marketing tool. The problem with using this terminology in this way, besides it being misleading and incorrect, is that it could provide a false sense of security to an organisation that is procuring the service.
Move away from “getting GDPR compliant” to understanding the data you have
Conversations should switch from ‘getting GDPR compliant’. Instead they should move towards a continual set of processes, procedures and supporting technology that enables your organisation to process personal data in way. This needs to respect the rights of your customers, employers and other individuals whose data you may process.
Establishing a framework for data protection can start to move your organisation towards a more sustainable, realistic method of improving the way you process and manage risks to personal data, and establish a continual improvement approach to data protection.
Ensuring data protection has a voice within the organisation will provide a platform for discussions to be had on data protection matters with senior management.
Governance starts with documenting key roles and responsibilities for data protection and how this is implemented. This can really differ based on industry, company size and the services provided.
Once key roles and responsibilities are documented it should be down to management to ensure they are approved, communicated and understood by the teams and individuals who will be required to deliver and demonstrate the responsibilities are being met. This doesn’t have to be a vast number of roles and pages of responsibilities. Each organisation is different and it should be enough to enable you to deliver on your data protection obligations and tailor your organisation’s working practices. Once you have this in place, you should then establish periodic meetings, perhaps monthly or quarterly to discuss data protection matters.
Representatives should have some form of decision-making authority and provide good representation from all parts of the organisation. Begin with drafting Terms of Reference (ToR), get them approved by senior management and start kicking those meetings off. This will be a little slow at first but with good preparation beforehand, the discussions will improve over time. I would recommend that minutes are taken for these meetings, and any actions are captured and managed through to completion. Sometimes you may need to consider whether this entire approach can integrate into an existing meeting such as information security, but often the two disciplines require a lot of discussion and separate sessions are more effective and achieve more success.
The GDPR requires organisations to establish protective measures commensurate to the level of risk within the data processing activities taking place, and has multiple references about risk. However, the GDPR doesn’t provide any instruction or methodology for identifying or managing risks relating to personal data or data protection law.
This is a problem that manifests into many organisations through the use of generic statements such as “we accepted that risk” or “that was deemed this to be low risk” but these are often not supported by any tangible, auditable risk framework and decision making. Some organisations that are certified to ISO27001:2013 (International Standard for an Information Security Management System) will have a methodology in place for identifying and managing information security risks, which may relate to personal data but we rarely see mature data protection risk identification and management practices.
If you are looking to start improving data protection, establishing a way to identify and manage and prioritise risks is key because you will not fix everything in days, weeks, months and sometimes years.
Documenting the risks you are aware of or that have been reported, is a way to discuss those risks with peers, management and risk owners, with a view to applying any mitigation that can be done whilst the primary remediation is being progressed.
Information security risk practices can be adopted and may be something the organisation already has a familiarity with. It’s just a case of integrating these into data protection processes.
Things to consider are risk tolerance levels (what constitutes high risk and what is unacceptable), what risks get communicated to the board and how, how is risk calculated (e.g. impact + likelihood = risk) and how these measurements and risk factors can be integrated into processes such as Data Protection Impact Assessments (DPIAs) and supplier due diligence for example.
3. Build Understanding
It is difficult to know what areas to focus on and where your key risks are if you don’t fully understand the processes within your organisation that involve personal data.
Undertaking an audit of your business processes that relate to the processing of personal data can be a really effective way to gain a deep understanding of all areas across the organisation, build relationships with key stakeholders and start to meet your legal obligations around having a Register of Processing Activity (RoPA) under Article 30 of GDPR.
Going through this process, you should seek to understand why the data is processed, what the lawful basis for processing is, the security controls in place to protect the data, data locations, systems and any third parties involved.
Once you have completed this activity, it is important ensure this is updated as and when new processing activities take place. Many organisations devolve this responsibility to managers and link updating of a RoPA into other processes such as procurement or new project management processes.
Build Understanding Checklist
4. Policies & Procedures
Some organisations have in place a raft of policies and procedures in relation to data protection and cyber security. Here, I will focus on core data protection requirements from a documentation perspective.
Once you have completed the previous step of understanding your data, you should develop a series of privacy notices, which are clear, informative and transparent statements that provide individuals with key information on how data is processed.
The next stage is to focus on developing and documenting processes that seek to identify data protection risks and handle requests that come into your organisation under data protection law. This is where procedures in relation to Data Protection Impact Assessments (DPIAs) and procedures for handling data subject rights requests can enable you to have a consistent, effective approach to complying with the requirements of laws such as the GDPR and UK Data Protection Act.
Policies & Procedures Checklist
5. Action & Assurance
Far too often when we initially engage organisations they may have produced some documentation, purchased an awful GDPR toolkit or decided for some reason GDPR doesn’t apply to them! Hopefully, as you have read this far, you’ve identified that GDPR does apply to your organisation and you want to do something about it.
Once you’ve properly completed the above steps, you should start to see some traction within your organisation. You would have key stakeholders involved as part of governance, a process for identifying and managing data privacy risks, understand the data you process and established some core documented processes.
Now the real fun starts. You will need to take the hypothetical good practice and turn that into tangible business process transformation or implementation. Depending on the size and culture of your organisation, the approach can vary but really what you are trying to achieve at a high level is to get departments/stakeholders taking action on data they process. Whether that be data cleansing, erasure or just improving the way they process personal data (action), you should also build an ongoing process to check these things are being performed effectively (assurance).
Many Software as a Service (SaaS) applications have assessments built into them which enable you, as that compliance/data privacy (person who cares), to send questionnaires and collate responses. These can often deliver highly efficient ways of delivering assurance, but you are also reliant on the responses of individuals.
I would recommend using something like this if you have the budget but also include a manual/physical discussion on high risk areas, so that you can ask probing questions, provide advice and get the right level of assurance. A quick google of “GDPR Assessment Software” should give you enough options. However, if you don’t have the budget for software, I would recommend building and audit framework, using some of the techniques/questions to revisit how each area processes personal data (amending your RoPA if necessary) and some simplistic checklists, which extract the actionable parts of the documents you have produced. These things combined can be built into existing software you may already have, such as JIRA or Microsoft Forms and also into a PoweApp if you have the technical ability to do so. If not either Excel, Word or good old pen and paper (that last one is not for me, or recommended, but better than nothing). Whatever you decide to do, retain the documentation, collate any issues found and develop actions to address identified issues. This all goes towards being able to demonstrate a bit of accountability, business value and supports internal reporting to management.
This is not an exhaustive list but hopefully it gives you some food for thought – if you don’t ensure that your organisation takes action of the things you’ve implemented it sort of avoids the point.
Many organisations don’t believe they need any resources to support compliance with data protection law but that is unfortunately often because they don’t know what they don’t know. It’s only when organisations become more aware of their obligations and implemented processes to identify and manage them that they start to see the workload. If you don’t capture this workload in a logical manner, you will struggle to articulate what resources are needed, so always have a structure to identify and report on unplanned work. Microsoft Planner, To-Do, Excel, Google Docs, Trello and Jira are just some of the many tools available.
Actions & Assurance Checklist