GDPR friend or foe? With the GDPR deadline day now less than 170 days away (25th May 2018) public sector and Not for Profit bodies, face an uphill challenge to be compliant. But is it all bad? Andrew Sandford, Technical Director of We are Lean and Agile, talks about the benefits of GDPR compliance and how you can even use it to deliver real strategic cashable benefits in your organisations.
Where to begin?
The best place to start with any GDPR compliance piece is at the top. Public sector bodies and, specifically, local authorities have a massive challenge to be fully compliant by the deadline. The sheer breadth of services, systems and data held in a multitude of formats means compliance is not easy. To all Senior Management Teams, who have cleared defined roles/responsibilities for GDPR compliance, I would advise you to check and be sure.
The ICO is clear on the role of the Senior Management Team; you must do three/four things – appoint a DPO/s (most will already have this role); ensure the DPO reports to the highest management level of your organisation – i.e. board level; ensure the DPO operates independently and is not dismissed or penalised for performing their task and ensure adequate resources are provided to enable DPOs to meet their GDPR obligations.
See below for the ICO video on messages for the boardroom.
Are these things in place in your organisation?
I have seen many project/programmes plans detailing 18 months of work to achieve compliance. The work in doing the basic elements of GDPR compliance – awareness raising; policy / procedure / contract rewrites; documenting what data you hold / how long you hold it / why you hold it; performing data audits on risky processes; embedding DPIA’s; defining new processes for handling the new rights; handling breaches; training your staff and rectifying any issues you find in your systems/processes – would easily take that long. You do not have an option to allow this project to not be on time.
170 days does not seem a long time to make sure all those things have happened, especially when you potentially have legacy non-compliant software systems and paper / spreadsheets / databases all wrapped around lots of those processes as well.
See below for a Q&A session with Elizabeth Denham at the Data Protection Practitioners Conference.
Although I mention local authorities, this applies just as much for central government departments, CCGs and charities. It makes no sense that in each of these sectors there is a small number of people (normally 1) trying to work out these sticky issues. Why are we not all working together to handle the core generic GDPR compliance issues including processes, procedures, policies and contracts?
400+ local authorities, 50+ central government departments, 200+ CCGs and 160k+ charities are all doing this alone (maybe some are not but where is the sharing?). Lean and Agile have created a shared GDPR resource (processes and data audit) free for our customers to help manage the path to GDPR compliance but also to deliver your data audits all within the existing software.
It is easy to cite the 4% of global turnover or €20m fines, clearly if you read the ICO blogs they are not going to jump in and fine the maximum, in fact they highlight they have never yet used the maximum allowed under data protection. Compliance should deliver positive outcomes.
As an example of potential approach I came across an interesting LinkedIn article on their approach in Belgium to GDPR for their equivalent of the ICO. Full details can be found here but the key piece of information I have highlighted below.
In accordance with the GDPR, the BDPA will also have the power to impose fines. However, following the Minister of Privacy, the BDPA’s core approach should be conciliatory. In the event of an infringement of the GDPR, the case will generally be closed if the infringing undertaking takes the necessary corrective measures rapidly. Conversely, where an investigation concludes that there are multiple infringements or a systematic disregard for the GDPR, the BDPA would have the option to impose fines directly. Fines would thus be reserved for cases where they are needed, and would not be seen as a way of filling the State treasury.
A lesson I would take from that is whatever you do, don’t ignore the GDPR or your compliance pathway.
GDPR compliance using our software as a tool can be a great strategic opportunity. Imagine if by May 2018 you had mapped your current processes and identified your issues (data and process). Not only would you have gone a massive distance towards compliance, you would also have analysed all your existing processes. By doing this with good software and your staff, you would have identified massive opportunities for savings and efficiencies in your transformation programmes as well as gaining great learning about what is going on and the costs of your processes.
GDPR can be a driver for real organisation benefits when done strategically – risk avoidance; reputational protection; good data governance; organisational change / awareness; process knowledge and tangible savings opportunities identified.
GDPR is not easy and my experience in the public and Not for Profit sector with numerous customers is that I am sure most bodies will not be 100% compliant by the May 2018 deadline. Ask some questions in your organisation, check, but whatever you do don’t underestimate the task ahead.
We are not GDPR experts but we have brought together a series of resources, process maps and data audit tools to help our customers towards compliance and also to leverage that compliance journey for continuous improvement of your processes.