How to get moving for GDPR
Since we’re among friends, I begin this post with a frank admission.
Having earned my stripes as a client – at times bestowed with the exalted title of “Data Protection Officer” – I sometimes wonder how I’d have fared if tasked with making my organisation GDPR-compliant.
In all honesty, I reckon I’d be struggling just a little.
Because despite all the blog posts, those endless webinars, a continuous stream of events, all the rhetoric (and of course, all the fear-mongering), there is still a general paucity of clear, concrete and directional GDPR information.
The ICO and DMA produce excellent resources and checklists. But while these can provide a brilliant foundation for an in-house GDPR compliance programme, do they offer an operational blueprint to achieve this compliance? I reckon, well…not so much.
Unsurprisingly, we’ve found that many businesses are still struggling to gain traction with their GDPR programmes.
But if you are heading up your GDPR programme and it all feels like pushing water uphill, the good news is that there are a few practical actions you can take. Based on the common trends we’ve seen with clients over recent months, I wanted to share a few pointers that might help you to get things moving.
1) It’s not as bad as it seems – if you approach GDPR like any other project
Amidst all the GDPR noise, it’s very easy to feel overwhelmed, losing sight of the fact that this can be approached like any other project. In other words, a requirement for change has been identified – and we’re going to make it happen:
Understand the ‘As Is’ -> Design the ‘To Be’’ ->
Perform the Gap Analysis -> Produce the Roadmap
Fortunately, many of the requirements for the To Be state have already been identified. OK; perhaps not in as much detail as us technically-minded folk would like, but nonetheless, it’s fairly easy to come up with a top-line checklist. Here are a few pointers:
Facilitate the 8 rights of the individual
Document all processing activities
Review consent management
Refine breach notification processes
Establish Data Protection Impact Assessment processes
Ensuring 3rd party and supplier compliance
Given that we know that GDPR has organisational legal, technical and data implications, it’s useful to create a matrix across each of the stages in producing a top-line compliance plan comprising of individual work streams.
Compiling and completing this matrix for both the As Is and To Be States provides us with our top-line gap analysis. We can then use this to assign our organisational RACI; it will also become the headline work stream list for your GDPR programme.
2) The devil’s in the detail: Be Methodical
To arrive at the next level of detail, it’s useful to identify each specific requirement of the legislation. From this, you will be able to design the appropriate changes required within each of your work streams.
(Deep intake of breath): The GDPR legislation is made up of 99 Articles and 173 corresponding Recitals. And while it seems overwhelming, this gives a finitenumber of requirements. So grab a coffee and go through each of them; map the policies, processes, procedures, forms, ‘non-functional’ and ‘functional’ requirements needed. Thankfully, you’ll see some of them will overlap, and a particular type of policy or process may satisfy the requirement of multiple articles.
A de-duplicated version of this exercise will form your detailed GDPR To Do List. And by definition, this is the sum total of things you need to do to become organisationally compliant.
Alternatively, if you don’t want to do that yourself (or can’t spare the coffee), feel free to drop me a line.
3) Don’t rely entirely on the lawyers!
As mentioned, we already know that GDPR has implications across the board.
Given that it’s ultimately a legal obligation, many of the brands we work with have engaged with one of the notable law firms to spearhead their GDPR compliance programmes. Of course, reviewing and updating policies, third-party contracts and supplier agreements obviously needs to be performed by legal counsel. So we do need help – and who better to understand the law than lawyers?
But legal representatives will have their own limitations. While they know the law, they may not understand your business – and the increasingly complex processing activities that make up the organisation’s day-to-day operations (particularly across the evolving world of marketing).
To perform an accurate As Is discovery, you need to engage with your in-house Subject Matter Experts (SMEs) to gain a comprehensive understanding of all of the processing activities undertaken across your organisation, alongside any operational requirements and constraints for the To Be design.
This needs time of course – and requires your current in-house SMEs to be freed up to perform their roles. Without allocated time, it’s likely they’ll find the task impossible to accomplish alongside their day job. Of course, in an era of shrinking budgets and demands to do ‘less with more’, this may present a real challenge: freeing up the resource, the cost of backfilling existing resource or bringing Business Analysts on contract. But in my experience, using the best people at the early stages will invariably lead to significantly lower legal fees (not to mention the avoidance of potential fines).
4) Make GDPR a blessing in disguise
Understandably (and just as I would if I was still in that DPO role), many clients ask us about how we can maintain the status quo. Questions like “how do we preserve the size of our marketable base”, or “how can we get around the law to carry on doing x, y and z”.
Without being shackled by the many responsibilities these clients share, I now think of things slightly differently.
Commonly, businesses suffer from a bloated database: one full of dusty contacts who haven’t engaged with their brand for years. People who technically gave consent but probably didn’t realise it at the time.
GDPR’s obligations provide us with a much-needed opportunity for a little ‘spring cleaning’. The brave new world presents us with a smaller database – but one full of people actively engaged with our brand, and eager to hear from us.
So, sure, the board might need a stiff drink to recover from the shock of losing a notionally large number of records. But I believe they’ll soon recover when response and conversion rates smash through that previous benchmark.
Similarly, it’s worth considering at this point whether the marketing processing activities you’re undertaking are adding real value to your business – should they be continued?
Just because you’ve run an initiative for a number of years, is it worth investing in finding a way to continue it under GDPR? Perhaps this is the opportunity to review what we’re doing and dust away those cobwebs in our marketing programmes.
Being very British, I’ll finish this post with an apology – for adding yet another GDPR post to that magic porridge pot of offerings. I do hope you found it useful; if you want to ask a question (or would like to hear more), please do get in touch.