With this in mind, join us in a series of blogs over the next few months where we use examples of our journey to take you down the road to becoming GDPR compliant.
What is GDPR?
GDPR (General Data Protection Regulation) is an update to the existing data protection acts and directives in place, and aims to provide EU individuals with more control over how their data is acquired, used and held. It is a regulation that presides over the data of all EU data subjects, but also organisations that process data of EU individuals elsewhere. Obviously, this has massive implications on the processes of companies holding "personal data", you can read more here.
Why are people panicking over GDPR?
The first issue people have is not knowing what GDPR is. Hopefully the above section and linked blogs helps alleviate that worry. What's funny is that people do know the pretty severe repercussions that will be faced by organisations not complying to these regulations. These include but aren't limited to monetary penalties and legal prosecutions, though it needs to be stressed a majority of these are for serious data breaches and won't be par for the course — especially when everything first kicks off in May 2018.
How do we even start becoming GDPR compliant?
Good question. So much is being said about what is changing with the introduction of GDPR that it's really daunting to think where you're actually meant to start. With any transformation, be it with your technology, process or even the people in your organisation, we recommend starting with a gap analysis and assessing how you are functioning in your "as is" state. That "as is" state should then be compared to your “to be” state (in this case, the GDPR compliant world of tomorrow) to assess the effort in getting the stuff in-between done.
A gap analysis spreadsheet can be as simple as any other checklist you've made in your life. The difficult part is probably gathering an extensive GDPR compliances you need to check off. Microsoft— a heavy proponent of GDPR— has created a wealth of collateral for partners to be able to know what their competencies should be, for more information check out our previous blog.
Identifying personal data in your organisation, and the stakeholders responsible
Alongside the gap analysis, at this early stage in the process it's best you start becoming more conscious of the personal data residing across your organisation. To conduct the gap analysis, we identified the people within ClearPeople who work closest with the different types of personal data we have.
At this point these stakeholders were made aware of the changes to the law and the impact this would have on their stream of work, especially if they had access to personal data that— in the new world, would require more consent from the data ‘owners’. There is currently over 7 months until GDPR comes into effect, so now is the perfect time to start having these discussions internally with your coworkers.
The information audit with these stakeholders should then begin, perhaps in an interview format, and the many stores and silos of personal data should be documented so that you’re aware of their existence at the very least. While there are 1001 questions you can and should ask around how the data enters, is processed and removed from your organisation, perhaps the poignant would be finding out:
- What is it?
- Why is it needed (what’s it used for)?
- Where is it held?
- Who is it shared with/who has access to it?
These questions are your foundations in becoming compliant and once these are answered you’ll find yourself naturally asking the next logical questions. For instance, after Identifying and Discovering what you hold, you may want to find out more around how this data is Managed and the processes in place to do this. Protecting the data from security breaches is also a major part of GDPR compliance and the security procedures in place should become of high interest to you as the processes around management become clearer.
We’ll be making more blog posts on how we’re travelling down the road to compliance. We’re equipped and ready to tackle the long road ahead, so if you need any help finding your footing, get in touch and we’ll help you take your first steps through to compliancy.