The Journey to GDPR Compliance as with all journeys starts with working out where you are at present.
The EU GDPR (General Data Protection Regulation) is being brought into UK Law and going through Parliament now is a new Data Protection Bill. GDPR comes into effect on the 25th May 2018 and ALL organisations MUST be complaint on that date.
This will replace the current Data Protection Act regime (DPA) and assuming that all organisations were compliant with the DPA as they should have been, then this is also a place to start their journey to GDPR compliance.
GDPR has 6 Principles replacing the DPA’s 8. The GDPR has more teeth than the DPA, you may have heard of some of the potential fines floating around. The penalties will be more serious and consequential under GDPR than the DPA and what they (organisations) might have ‘got away with’ under the DPA, they will not under GDPR.
The start of this journey needs to come via completing a GAP analysis. This needs to ask questions of the senior management at Board level, functional management heads, existing systems, policies and processes.
Question the Board and management on what they know about GDPR. If they know little, they need to be made aware of GDPR, the value of Data to their organisation and the potential consequence of a failure to comply with GDPR.
Then look at the existing Privacy Framework; does it meet the requirements of GDPR? – if they are unsure they should ask others who are GDPR practitioners for assistance and guidance. This will include looking at existing PIMS (Personal Information Management Systems) and ISMS (Information Security Management Systems). If the organisation is large enough, it should consider whether a new Data Privacy Management roles is needed or whether the Information Security Management role and the Data Privacy Role should be combined.
Complete an Asset Register and a Data Flow Map. This ‘map’ will identify potential weak points in their data security.
While this process is happening, organisations should be starting to raise general awareness of Data Security and GDPR amongst all staff, top to bottom. Everyone can play a part in GDPR compliance.
From the Data Flow Map, develop and action plan to plug the gaps and systems.
The organisation will need to review all existing data management and data processing policies, and procedures. These at the least will need ‘tweaking’ to meet GDPR, many will need an absolute rewrite.
There are requirements under GDPR that organisations may think do not apply to them. Firstly, GDPR applies to ALL organisation. Secondly, elements of GDPR apply more to some organisations than others depending on what they do as their core activity, where data is stored, how it is handled and so on.
Our advice is to take advice. Talk costs nothing. Your organisation may be able to achieve GDPR compliance internally, you may need support to guide internal actions or you may need a full contractor Data Protection Officer (DPO) package.
Above all with GDPR, document everything. Document the work done in getting ready for GDPR, document data processing activities and be prepared for data breaches, every organisation will have them and you will need to record them and take action, and some organisations will need to report some breaches to the Supervisory Authority, the ICO.