How to get GDPR Compliant? Become GDPR Compliant? GDPR compliant product?
If you are reading this, it’s because the title either enraged you, or you believe there is a way to become GDPR compliant. If you’re in the former camp, it’s likely due to you knowing that quotations like becoming GDPR compliant are attractive to potential customers, but not necessarily the right message to be portraying. Data protection is a continual, iterative endeavour. It often involves a level of transformation across the organisation, requiring improvement to the way you process and handle data, whilst embedding roles and responsibilities to operate and manage data protection activity going forward.
Unfortunately, a lot of the conversations we have with clients or vendors involve them trying to sell us something that is ‘GDPR Compliant’ or ‘GDPR Certified’. This is something that appears as an early warning sign that either the company doesn’t understand GDPR/data protection, or they are using it as a marketing tool. The problem with using this terminology in this way, besides it being misleading and incorrect, is that it could provide a false sense of security to an organisation that is procuring the service.
Move away from “getting GDPR compliant” to understanding the data you have.
Conversations should switch from ‘getting GDPR compliant’. Instead they should move towards a continual set of processes, procedures and supporting technology that enables your organisation to process personal data in way. This needs to respect the rights of your customers, employers and other individuals whose data you may process.
Establishing a framework for data protection can start to move your organisation towards a more sustainable, realistic method of improving the way you process and manage risks to personal data, and establish a continual improvement approach to data protection.
1. Governance
Ensuring data protection has a voice within the organisation will provide a platform for discussions to be had on data protection matters with senior management.
Governance starts with documenting key roles and responsibilities for data protection and how this is implemented. This can really differ based on industry, company size and the services provided.
Once key roles and responsibilities are documented it should be down to management to ensure they are approved, communicated and understood by the teams and individuals who will be required to deliver and demonstrate the responsibilities are being met. This doesn’t have to be a vast number of roles and pages of responsibilities. Each organisation is different and it should be enough to enable you to deliver on your data protection obligations and tailor your organisation’s working practices. Once you have this in place, you should then establish periodic meetings, perhaps monthly or quarterly to discuss data protection matters.
Representatives should have some form of decision-making authority and provide good representation from all parts of the organisation. Begin with drafting Terms of Reference (ToR), get them approved by senior management and start kicking those meetings off. This will be a little slow at first but with good preparation beforehand, the discussions will improve over time. I would recommend that minutes are taken for these meetings, and any actions are captured and managed through to completion. Sometimes you may need to consider whether this entire approach can integrate into an existing meeting such as information security, but often the two disciplines require a lot of discussion and separate sessions are more effective and achieve more success.
Governance Checklist
- Document roles and responsibilities for data protection.
- Ensure roles and responsibilities are approved and communicated.
- Establish a data protection meeting ToR and agenda.
- Start running data protection meetings.
- Consider Bridewell's GDPR Gap Analysis report.
2. Risk
The GDPR requires organisations to establish protective measures commensurate to the level of risk within the data processing activities taking place, and has multiple references about risk. However, the GDPR doesn’t provide any instruction or methodology for identifying or managing risks relating to personal data or data protection law.
This is a problem that manifests into many organisations through the use of generic statements such as “we accepted that risk” or “that was deemed this to be low risk” but these are often not supported by any tangible, auditable risk framework and decision making. Some organisations that are certified to ISO27001:2013 (International Standard for an Information Security Management System) will have a methodology in place for identifying and managing information security risks, which may relate to personal data but we rarely see mature data protection risk identification and management practices.
If you are looking to start improving data protection, establishing a way to identify and manage and prioritise risks is key because you will not fix everything in days, weeks, months and sometimes years.
Documenting the risks you are aware of or that have been reported, is a way to discuss those risks with peers, management and risk owners, with a view to applying any mitigation that can be done whilst the primary remediation is being progressed.
Information security risk practices can be adopted and may be something the organisation already has a familiarity with. It’s just a case of integrating these into data protection processes.
Things to consider are risk tolerance levels (what constitutes high risk and what is unacceptable), what risks get communicated to the board and how, how is risk calculated (e.g. impact + likelihood = risk) and how these measurements and risk factors can be integrated into processes such as Data Protection Impact Assessments (DPIAs) and supplier due diligence for example.
Risk Checklist
- Discuss and document key risk measurements and approach.
- Understand how risks are captured, progressed and communicated.
- Establish data protection risk register reviews.
- Consider leveraging existing risk practices and integrating data protection processes.
- Document and rationalise key decisions regarding data protection.
3. Build Understanding
It is difficult to know what areas to focus on and where your key risks are if you don’t fully understand the processes within your organisation that involve personal data.
Undertaking an audit of your business processes that relate to the processing of personal data can be a really effective way to gain a deep understanding of all areas across the organisation, build relationships with key stakeholders and start to meet your legal obligations around having a Register of Processing Activity (RoPA) under Article 30 of GDPR.
Going through this process, you should seek to understand why the data is processed, what the lawful basis for processing is, the security controls in place to protect the data, data locations, systems and any third parties involved.
Once you have completed this activity, it is important ensure this is updated as and when new processing activities take place. Many organisations devolve this responsibility to managers and link updating of a RoPA into other processes such as procurement or new project management processes.
Build Understanding Checklist
- Meet with business stakeholders and capture processes that pertain to personal data.
- Ensure you capture the core requirements under Article 30 of GDPR.
- Capture any key risks associated with any processes and potential mitigations.
- Highlight any common themes to produce enterprise risks and/or remedial actions that have the biggest benefit/risk mitigation.
4. Policies & Procedures
Some organisations have in place a raft of policies and procedures in relation to data protection and cyber security. Here, I will focus on core data protection requirements from a documentation perspective.
Once you have completed the previous step of understanding your data, you should develop a series of privacy notices, which are clear, informative and transparent statements that provide individuals with key information on how data is processed.
It is good practice to maintain a register of privacy notices, along with key document control data, such as version control and timestamps. Ideally your privacy notices should also link back to more detailed information on how personal data is processed, which is typically a privacy policy that needs to cover a number of specific items around the types of personal data you process, the reasons you process it and other requirements on individual rights under data protection law.
The next stage is to focus on developing and documenting processes that seek to identify data protection risks and handle requests that come into your organisation under data protection law. This is where procedures in relation to Data Protection Impact Assessments (DPIAs) and procedures for handling data subject rights requests can enable you to have a consistent, effective approach to complying with the requirements of laws such as the GDPR and UK Data Protection Act.
Policies & Procedures Checklist
- Develop and publish data privacy notices for relevant data processing areas.
- Develop a clear, transparent data privacy policy for external use.
- Develop an internal privacy policy for employees.
- Document how you would assess a new service or supplier, ensuring DPIA's are included, along with supplier due diligence checks and RoPA updates if the service goes live.
- Ensure you have clearly documented roles and responsibilities, and processes for dealing with requests for access, deletion and other rights requests most pertinent to your organisation.
5. Action & Assurance
Far too often when we initially engage organisations they may have produced some documentation, purchased an awful GDPR toolkit or decided for some reason GDPR doesn’t apply to them! Hopefully, as you have read this far, you’ve identified that GDPR does apply to your organisation and you want to do something about it.
Once you’ve properly completed the above steps, you should start to see some traction within your organisation. You would have key stakeholders involved as part of governance, a process for identifying and managing data privacy risks, understand the data you process and established some core documented processes.
Now the real fun starts. You will need to take the hypothetical good practice and turn that into tangible business process transformation or implementation. Depending on the size and culture of your organisation, the approach can vary but really what you are trying to achieve at a high level is to get departments/stakeholders taking action on data they process. Whether that be data cleansing, erasure or just improving the way they process personal data (action), you should also build an ongoing process to check these things are being performed effectively (assurance).
Many Software as a Service (SaaS) applications have assessments built into them which enable you, as that compliance/data privacy (person who cares), to send questionnaires and collate responses. These can often deliver highly efficient ways of delivering assurance, but you are also reliant on the responses of individuals.
I would recommend using something like this if you have the budget but also include a manual/physical discussion on high risk areas, so that you can ask probing questions, provide advice and get the right level of assurance. A quick google of “GDPR Assessment Software” should give you enough options. However, if you don’t have the budget for software, I would recommend building and audit framework, using some of the techniques/questions to revisit how each area processes personal data (amending your RoPA if necessary) and some simplistic checklists, which extract the actionable parts of the documents you have produced. These things combined can be built into existing software you may already have, such as JIRA or Microsoft Forms and also into a PowerApp if you have the technical ability to do so. If not either Excel, Word or good old pen and paper (that last one is not for me, or recommended, but better than nothing). Whatever you decide to do, retain the documentation, collate any issues found and develop actions to address identified issues. This all goes towards being able to demonstrate a bit of accountability, business value and supports internal reporting to management.
This is not an exhaustive list but hopefully it gives you some food for thought – if you don’t ensure that your organisation takes action of the things you’ve implemented it sort of avoids the point.
Many organisations don’t believe they need any resources to support compliance with data protection law but that is unfortunately often because they don’t know what they don’t know. It’s only when organisations become more aware of their obligations and implemented processes to identify and manage them that they start to see the workload. If you don’t capture this workload in a logical manner, you will struggle to articulate what resources are needed, so always have a structure to identify and report on unplanned work. Microsoft Planner, To-Do, Excel, Google Docs, Trello and Jira are just some of the many tools available.
Actions & Assurance Checklist
- Develop what actions you want to ensure are delivered across your organisation.
- Ensure you have a plan to invoke change and business process transformation/implementation.
- Use a combination of software and actual audits/interviews to gain assurance.
- Maintain records of audits/meetings and drive actionable improvements and risk reduction.
- Record and ensure visibility of all unplanned and planned work.
For more information on how Bridewell’s Data Privacy services can support your organisation, get in touch with our team for a confidential conversation.
Author
Scott Nicholson
Co-CEO at Bridewell