Multi-disciplinary approach to GDPR Readiness
GDPR is a regulatory framework and organisations need to translate into practice this framework and associated legislation. As such getting ready for GDPR is essentially a technology-related business change. It requires the skills of a multi-disciplinary team, blending the knowledge of the leadership teams and managers responsible for business operations with expertise from legal, procurement, risk & compliance and information systems.
Tools at our disposal such as business and information architecture are ideally suited to operationalize GDPR. If used wisely, the effort devoted to GDPR can allow organisations to realise a range of further benefits. The timetable provides a valuable imperative to kick-start activities and build the momentum needed to effect change. Although it typically lands with compliance teams because of the regulatory angle, it is inherently about correctly handling information.
To address the requirements for GDPR, we see broadly the same approach proven with DPA and wider Information Security aspects, which treat the topic as information management best practice. GDPR is today’s imperative, largely due to the much higher levels of potential financial and criminal penalties. This has focussed management attention, provided a more compelling business case and released budgets. This approach applies for any organisation, although sector-specific factors will need to be taken into account to ensure a joined-up approach.
Know your data
Understand the information the organisation has, the purpose for which information is used and the processes involved. Although the attention of GDPR is personal and sensitive-personal information, organisations can take this opportunity to understand the range of information they handle, relate this to the business processes and roles within the organisation and the supply chain. This is the essence of business
Information management Policy
Define a policy for how to manage information across its lifecycle. Particularly where is relates to identifiable persons, clarity of defined roles and responsibilities is required. Retention rules need to relate to the business need and including steps for periodic review and destruction. The policies need to put into practice through processes and procedures, with supporting tools.
Governance
Establish processes for governance and assurance of regulatory requirements. Particularly the individual rights that are typically handled through a Subject Access Request and Consent Management processes – essentially a case management approach. Defining the decision-making process, roles and escalations is a refinement of the business architecture
Privacy by Design
Translate the principles of “Privacy by Design” into best practice guidance and where necessary architecture standards. Protection of information is an information security requirement, not just GDPR. Dealing with personal data brings some specific challenges particularly relating to potential need for anonymisation and the complexities of granting and potentially withdrawing consent at a granular level.
Information Sharing
Look at information sharing in other countries and with external parties. There are complexities and potential handovers, so prone to be a problem area. In particular lack of properly defined Information Sharing Agreements with 3rd parties
There are various considerations on how to put into operation. For example, PIAs on whole estate at the outset, according to a risk-based prioritisation or undertaken through regular change projects.
Skills & Capability Requirements
Area of interest | Skills & capabilities needed |
Understanding the information landscape |
|
Defining organisational policies |
|
Defining governance processes (e.g. the PIA process, subject access requests etc.) |
|
Third party information sharing agreements |
|
International aspects |
|
Putting into practice |
|
Potential non-compliance |
|
What else does good information management help with?
Whilst the regulatory compliance driver is foremost in the preparation for GDPR, applying information management best practice is itself a differentiator in the market place. Ability to appropriately use and manage information is a core capability for any business. Whilst GDPR doesn’t provide an accreditation, business customers will need GDPR compliance to be demonstrated across their supply chain.
Furthermore, if an organisation is investing in GDPR, then done with vision it can greatly assist:
- Preparation for digital transformation
- Information security and cyber vulnerabilities
- Rationalisation of organisation, process and technology
- Addressing other regulatory compliance needs
- Streamlining processes by better information sharing and collaboration internally and with partners
- Positioning for M&A
- Reduce IT spend through better use of information assets
This article was written by GDPR Auditing associate Bill Blackburn of the Process Renewal Group.
If you would like to know more about how GDPR Auditing can help your organisation with the EU-US Privacy Shield or the GDPR in general please contact us at info@gdprauditing.com or visit our contacts page.
The information provided in this post is for general information only and is not intended to provide legal advice.
© GDPR Auditing 2017.