Tips for scoping your GDPR Technical Approach
The GDPR – and associated dearth of information for those involved with its implementation – is the beginning of a world of potential pain for those involved in managing database and marketing solutions.
So if you're part of a tech team, tasked with implementing the functional requirements of your organisation's GDPR programme, where to start? As with any good tech design project, we start with Scoping and we first define what’s in and out of scope.
Scoping your GDPR project…
1) Become an interpreter: translating legal into technical jargon
The first challenge we generally face when design a technical approach, is translating the business’ requirements into technically relevant language. GDPR implementation is no different, although at times it can be a little more Kilimanjaro than Three Peaks. This is because much of the terminology is new, it’s written in legal jargon – and as with the old DPA, some of its terminology is mysteriously vague.
It makes sense then that one of the first tasks in the process of defining what’s in scope is to become conversant in the legislation. This is an opportunity to become the ‘GDPR Technical Expert’ in your business! It’s a little overwhelming at first but understanding the legislation, and what the various terms mean will add huge clarity for you in the process. According to Computer Weekly, 44% of IT professionals are uninformed of the new rules – so this could be your moment to shine.
Of course, not everyone will have the capacity (or inclination) to fulfil this role, which is where it pays dividends bringing in a Subject Matter Expert to work alongside you – either a consultant or agency (Hi, have we met...).
2) Be clear on which Articles have implications on your solution design
Once you’re familiar with the legislation, are you clear on which Articles have an implication on solution design – or which don’t?
Not everything within the legislation will have technical implications. And it’s worth knowing that even those that do, may not fall within the remit of you and your team. For example, server encryption could be the responsibility of someone else (depending on your organisational structure) – so they’ll need to be aware that they are picking up this particular baton.
TIP: what often works well is taking your system architecture and mapping the relevant GDPR Articles to it.
3) Be your own harshest critic
These changes are significant and far-reaching, so knowing what you now know about the legislation, you need to make an honest assessment of your solution. It really helps to review your solution with a critical eye – if you can, get input from someone else on the team, or possibly, someone external.
Your scope will only be comprehensive if you’ve fully identified any potential gaps. So be tough on yourself here; the CFO will thank you when you sail through any ICO scrutiny unscathed – and moreover, un-fined!
4) Know your solution, inside-out
Seems obvious, but with everything going on it’s easy to forget to be conversant with all elements of your database solution.
So be comfortable describing your ETL processes, databases and any other system dependencies, through to your application layer. You’ll also be able to explain elements within your solution design such as data lineage, auditing, and access controls. Basically, know every nook and cranny of your solution and concomitant processes.
5) Form a crack team
What does your GDPR Technical Task Force look like?
Your team of experts will have specific roles – so depending on whether you have the expertise or capacity in-house, may directly impact budgets.
Firstly, who is the lucky leader? It’s also worth considering whether you have these roles covered within your GDPR Technical team:
- Technical Architect
- Solution Architect
- Data Architect
- Database Engineer
- GDPR Subject Matter Expert
- Information Security Representative
If you're already working with a data agency it’s worth checking whether they are able to support you in prepping for and building your GDPR team. If not, you know who to contact...