By now, it’s unlikely that the EU’s General Data Protection Regulation (GDPR) has skipped your attention. And if your firm handles personal data, May 25th, 2018 is of huge significance.
The legislation is wide-ranging and ensuring your firm is ready for GDPR is a complex process. There is no easy fix or silver bullet. Only good decision-making, time, effort and resources will ensure you adapt successfully to GDPR requirements.
Despite this many firms just haven’t really got going yet, even though compliance is compulsory.
Where should you start?
The first place to start with your readiness programme is to carry out a thorough gap analysis. This should determine how far away your current practices - for the processing of personal data - are from being best practice, or at the very least compliant with the GDPR.
Fundamentally, the GDPR encompasses data protection, information security, and risk management. It is crucial that all firms conduct a gap analysis that evaluates all of these areas to establish where their weaknesses lie.
What would then follow is an extensive programme of activity that would involve establishing new processes, documenting those processes, assigning new responsibilities and likely investing in new tools to help automate as many tasks as possible.
A huge part of the GDPR is to ensure your staff are aware of what they need to do (and not do) to follow your new practices. The Information Commissioner’s Office’s (ICO) main driver is for your business to embrace the new laws to build a culture of privacy across your whole organisation, rather than just become a box-ticking exercise managed by your compliance officer.
Clearly, this could all be a significant investment of time and money. As your readiness programme will be based on the findings from the gap analysis, the importance of getting this first phase right is therefore critical. Get it wrong and it could be costly for two key reasons.
Firstly, a poorly conducted gap analysis would mean your readiness programme has the potential to focus on the wrong things, with much of the effort and money wasted.
Secondly, you may not end-up much nearer to actual compliance with the GDPR, which obviously presents an ongoing risk to your business.
It’s fair to say that an effective gap analysis is a good place to start. So how do you know if the analysis you undertake is going to set you off in the right direction.
Introducing the ‘GDPR expert’
As firms realise GDPR’s complexity, the demand for external expertise has rocketed. This has inevitably led to the rise of the opportunists - those seeing GDPR as a way to cash in by positioning themselves as experts in helping you attain compliance.
The truth is GDPR is so broad that no one ‘expert’ can credibly support you in all aspects. Firms should engage a range of specialists with expertise in key areas of data protection, information security and risk management, with independent legal advice where appropriate.
You should look for partners who have built these competencies into their core business, long before GDPR became a priority. And you should move fast. With the clock ticking demand is increasing, which means the most reputed specialists will soon be unable to take on new clients.
An Ongoing Challenge
The GDPR should not be considered a checkbox exercise. Without ongoing analysis firms can easily slip out of compliance – leaving them vulnerable to the penalties enforced by the ICO. Complying with the GDPR in the run-up to and beyond May 2018 requires a cultural change across the organisation. However, firms will need to benchmark their compliance status before they begin this cultural shift – for most firms, this starts with conducting a comprehensive, firm-wide GDPR gap analysis.
Effective gap analysis exercises recognise information security and data privacy as critical, but separate, components of the regulation. Compliance programs that focus on technology or operational processes in isolation are unlikely to produce an accurate picture of your overall compliance. As such, a comprehensive GDPR gap analysis typically starts with an initial assessment – involving both a technical analysis of your network and an operational review of your staff, policies and procedures. Typically a remediation plan is then produced that details the key areas of non-compliance and how they can be resolved.
Too often, however, this is where GDPR gap analysis exercises conclude - leaving firms with a snapshot assessment of their compliance status and little support with remediation. Where an effective GDPR programme differs is that it continuously monitors a firm’s status. As a result, regular, up-to-date documentation can be produced – helping firms remain compliant and where necessary provide accurate evidence of conformity. Only when this culture of continuous improvement is implemented can firms be confident in their compliance, and subsequently protect themselves from the risks of non-conformity with the GDPR.
A data audit is not a gap analysis
A good data audit details the full story of how personal data is managed in your firm, from how it enters, to how it is processed and stored, to who owns, accesses and controls it and how they use it, to how long it is retained. It also tells you whether your technology is adequate at that point in time. Any data hosted off-site but controlled by you must be included.
However, a data audit does not tell you how to comply with GDPR. It will probably not include data policies or processes, help you identify the legal basis for processing that data, nor evaluate the level of data privacy awareness across your firm. It, therefore, won’t enable you to assess your ability to meet your GDPR obligations going forwards.
As such, most firms who conduct a data audit are unsure about next steps. Only a gap analysis will tell you what GDPR requires from your firm on an ongoing basis.
Beware the ‘GDPR cowboys’
Conducting a gap analysis internally is very difficult. Aside from the challenges of freeing up key resources or finding someone with the right skill set, an internal owner is likely to be too close to the business. This is why many firms are looking for outside help with both the gap analysis and the subsequent heavy lifting.
Many companies are now offering GDPR support services, such as free assessments, training, in-depth consultancy and generic policy templates. Costs range from five hundred pounds to the tens of thousands. Some of these services will be invaluable – most firms will need to consider external support if they are to do things thoroughly.
A good example where outside expertise is especially useful is penetration testing for IT vulnerability. This involves paying external ‘hackers’ to access your systems and then identify vulnerabilities that need eliminating. Of course, GDPR is not just about cyber security but it is still a key element.
Ultimately, you have to think carefully about who you trust. The best external partners are those firms who focused on data privacy and information security best practices, long before GDPR was even on the radar. There are many unqualified GDPR cowboys jumping on the bandwagon, so work with those who can clearly demonstrate their capabilities with a track record far longer than just the last 12 months.