Now that the fog is clearing on GDPR, it’s time to speed things up

Original LinkedIn Article: https://www.linkedin.com/pulse/now-fog-clearing-gdpr-its-time-speed-things-up-robert-j-toogood

Was it recently or possibly many months ago, when the legislation was formally adopted by the European Parliament in April 2016? On the other hand, GDPR compliance activities might have been on your organisation's radar even earlier than that.

There is a good chance you have already heard something about GDPR although maybe you have become overwhelmed with it all, hoping that the inconvenience of having to comply would conveniently and quietly go away.

But then you might be reading this article as someone who is working for one of the few organisations that have already started their GDPR implementation activities and are on track to achieving compliance by May 2018.

It is now clear that the legal requirement for your organisation to comply with GDPR is not going to go away and the associated end date is not going to change either.

If you have still not started your implementation activities yet, the risk of non-compliance is therefore significantly increasing for your organisation and its investors.

Opportunities

GDPR is not something to fear.  

It presents many opportunities to add value to and protect your business, provided you open your mind to the important point that it is not just another piece of technical compliance work you give to your IT people, as discussed in an earlier post... it is a fundamental change to the way we handle data within our organisations.

We must also remember that this is the first major revision of data protection and privacy legislation for over twenty years so, if properly implemented, will present many opportunities for better protecting both individuals and organisations in our ever-increasing digital and interconnected world.

As the UK Information Commissioner, Elizabeth Denham, emphasised in a recent speech, accountability is a key change under GDPR. She went onto to add “It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”

Approach

If you haven’t done so already, the time has now come to face into reality and accept the complexity of what is needed within your organisation to comply with this incredibly challenging but exciting piece of legislation

The complexity needs to be managed with care since the implications of non-compliance by May 2018 are significant with those accountable in the boardroom in scope for potential criminal prosecution, as well as the already widely publicised potential 4% of turnover fine and associated reputational damage.

However, it is still not clear that this accountability is truly understood by many boards… as reflected by the number of GDPR programmes that have still yet to start or are woefully underfunded.

So what is needed?

The first step is to setup up a programme… on an enterprise-wide basis to manage your implementation activities, with strong boardroom sponsorship involving all key stakeholder groups within your organisation.

The second step is to structure your programme… by deciding whether to use an already implemented methodology or by selecting a more appropriate one to help direct your critical privacy related activities.

The third step to then tailor your selected methodology… to reflect the realities of the organisational environment in which it is being used, and to integrate any associated privacy related frameworks and supporting tools which are also needed for your organisation.

The fourth step is to plan your programme… involving all key stakeholders and the way in which you have decided to organise your programme activities.

The fifth step is to launch your programme and support it with an appropriate level of resource (and funding) given the challenges that the programme faces within your organisation.

Challenges

The challenges each organisation face will be unique, reflecting a rich and varied mix of different factors including:

- gaps with existing legislation;

- existing and planned system landscape;

- technical infrastructure;

- implemented methodologies, frameworks and standards;

- sector regulatory requirements;

- governance, risk and compliance maturity;

- external certifications.

A further requirements for achieving GDPR compliance is to adopt a risk based approach. This is actively encouraged by the legislation but requires other things to be in place for this to work effectively.  What is best for your organisation will depend on many factors.

Next Steps

What does of all this mean for you?

It means that it is important to include within your GDPR programme people who have the depth and breadth of expertise, both within IT and the business, that can work across the total organisation, building bridges if required between different functional groups and siloes that haven’t traditionally work together.

These people need to be able to see the bigger picture of what is needed based on their experiences in the real-world dealing with similar project, systems and risk challenges.  They need to understand and simplify complexity, addressing the inevitable ambiguity that will be present amongst these implementation activities… helping you connect the proverbial dots to ensure you meet your legal obligations in the most appropriate and efficient way for your organisation.

In the final analysis, it is people who will determine whether a GDPR implementation is successful or not.

Only by recognising this fundamental point, will an organisation move beyond GDPR as a box ticking compliance activity to something that will really add value to the organisation by changing its data culture, enabling it to more effectively compete in the new and exciting digital age.

Where are you on your GDPR implementation journey?

 To discuss these challenges further and their relevance to your own business, please contact Robert direct at robert.toogood@data-tight.com to schedule a completely confidential and no-obligation discussion.

0
  
Robert Toogood
07.03.2017