By John Stuart-Clarke, Data Protection & e-Privacy Specialist
John works at a large UK Insurer and leads a team of product owners tasked with strengthening the data protection control environment in readiness for the GDPR and the ePrivacy Regulation.
The risks and potential sanctions that GDPR exposes organisations to are eye-wateringly attention-grabbing. They have triggered a variety of responses ranging from the opportunistic repackaging of security products as GDPR Swiss army knives to blind panic at the prospect of a fine that could be big enough to take a company out of business.
In amongst the scare-mongering, confusion and still surprisingly widespread ignorance are the oases of calm we all need to gravitate towards if we’re going to survive until 25th May 2018 and beyond.
The best path to take you to your personal oasis is one that leads you between these extremes whilst avoiding the road on which GDPR is just another acronym passing you by. You do need to act and to be successful, you need to Keep Calm and Think.
Form a Plan
Having a plan means knowing where you are right now, where you want to get to and how you are going to get there.
If you don’t know where you are going, how will you know when you’ve arrived?
In a data protection context, knowing where you are right now involves understanding your state of compliance with currently applicable data protection laws. In my case, chief amongst these are the UK’s Data Protection Act (DPA) and Privacy in Electronic Communications Regulation (PECR). Don’t be tempted to skip this important first step: if you do, you may miss key deliverables that need to be included within your plan and risk laying poor foundations based on incorrect assumptions.
To know where you want to get to you must create a vision of the future. The best visions are short, exciting and memorable. Your vision may be to fully comply with the law or it may aspire to radical, transformational goals, such as reconstructing your organisation’s relationship with its customers or bringing about a step-change in how your staff think about data.
Envisioning is vital. Even with the most modest of GDPR-related goals, reaching your oasis will involve a long journey and if you don’t keep your eyes fixed on a clearly-defined end-point, you may at some point end up floundering, unsure which way to turn next.
Deciding how you are going to get there requires further analysis. Firstly, understand what’s going to change under GDPR – learn about the new and enhanced rights for data subjects, increased accountability for data controllers and processors, and other key changes. You can do this using the free resources provided by your local data protection authority (the ICO in the UK) and any of the excellent freely-accessible blogs published by legal firms such as DLA Piper, Fieldfisher, Bird & Bird and DAC Beachcroft. If I have missed any other good ones, please mention them in the comments section.
I also suggest you join networking groups, ask lots of questions and read some of the books that cover this subject. Consider joining the International Association of Privacy Professionals (IAPP) who offer a wide range of member-only resources that may prove very useful too.
Now you are ready to identify the changes you need to make within your organisation to enable you to move along your journey. You can do this by comparing where you are now with where you want to get to and identifying the gaps. The gaps represent things you need to change or create. I will call these things products, as you’ll need to produce them. Turn them into a list or draw them as a tree-like structure if you prefer to think of them hierarchically.
Your products will be delivered by work and the work you need to perform will require people with certain skills to help you. It may also require some funding. Trying to size, cost, prioritise and resource this work product by product is a lot easier than trying to comprehend the entire endeavour all at once.
Look from Every Angle
When you’re thinking about products, use a range of different perspectives so that you create the most robust plan possible. I like to think from the perspective of people, organisation, process, information and technology, rather the more commonly referred-to reduced set of people, process and technology.
The organisation perspective is especially helpful when thinking about GDPR, because controllers, processors and sub-processors are very likely to be organisations.
Understanding the connections between these different types of organisations and the numerous individual elements of GDPR are key to achieving a good level of understanding of what needs to be done.
The people perspective is also vital not least because of the emphasis on accountability and on the need to take measured action proportionate to risk. You may need to make some specialised appointments to meet the new obligations: do you need a Data Protection Officer? What about data stewards and data owners?
Even if it’s not necessary to make new appointments, you will need to think about training and support for your specialist (privacy professionals, data protection champions) and non-specialist colleagues (project teams, IT security professionals, front-line operations teams) who will ultimately determine how well your organisation adjusts to GDPR.
If this effort feels like overkill for your organisation, take comfort from the fact that preparing even the simplest of plans will make you more aware of the challenges you face. A coherent plan helps break the massive problem of GDPR down into much more manageable chunks, which makes it much easier to tackle and a lot less scary to contemplate.
Take Your People on the Journey
GDPR isn’t just a regulatory compliance issue and it’s certainly not a once-and-done project. Embedding GDPR successfully will permanently change the way you do business and your organisation may need to adjust its culture to get these changes to stick.
It’s important that you involve as many of your people in preparing for GDPR as possible so that they get to come on the journey too. The sooner they are engaged, the sooner they will start to think of potential impacts, spot changes that need to be made and identify opportunities than you may never otherwise see.
Use Your Own People to Help You
When I speak at public events, I often describe myself as a business analyst who bends himself into whatever shape is required to enable me to achieve the outcome I am in pursuit of.
Business analysts have massive tool chests, full of goodies such as internal and external environment analysis techniques, requirement elicitation skills, experience of crafting business cases and the drive to dogmatically ask “why?” over and over, until the tip of the root of the problem is finally unearthed. Business analysts also know how to map business activities and model data flows and how to present each of these views of the world at different levels of detail, tailored for specific audiences.
You may not have any business analysts within your organisation but you almost certainly have colleagues who have displayed skills such as those described above. These people can help you along your GDPR journey.
It’s important to recognise that you will also need executive support. High-ranking sponsorship (hands-on ownership is even better) for the vision you have created and air-cover that can be called on when challenges are raining down will help you avoid roadblocks and maintain momentum.
Using the Expertise of Others
Whilst you can achieve a great deal on your own, you may eventually need the help of an external expert or two, to complete your journey. Whilst expert risk management, information security or legal advice may be very useful to you, I suggest you do as much as you can with the resources you already have before you bring in external experts. This will help you hone in on your true needs before you commit to formal support arrangements and their associated financial consequences.
Does Any of This Sound Unfamiliar?
I would be surprised if much of what I describe sounds entirely alien to you as most of these suggestions are common sense and the rest are drawn from widely prevalent best practice. But I guess that’s the point of this article.
Whilst GDPR is undoubtedly new, data protection law is not and organisational change is an ever-challenging constant. Once the hype of GDPR fades, what you are left with is an (admittedly complex) organisational change. So rather than searching for silver bullets or mythical super-beings, use what has worked well for you in the past to make GDPR a success for your organisation.
Disclaimer: these are my own words and opinions and they are not necessarily shared by my employer. I am not a lawyer nor am I providing legal advice. Please treat my assertions as opinions and feel at liberty to challenge or contradict them as you wish.