This is our final blog in the GDPR series. We have assessed What is the GDPR regulation? in part 1, why it is necessary to take the new regulation seriously and work out if you need to comply and the impact this may have on your business. In part 2 we considered What happens next? once you know you need to take action, have assessed what you MUST do and the processes to help get you started. The topic of PIA’s were introduced, PIAs are similar to Business Impact Assessments which every organisation is familiar with. A PIA assesses the loss or mis-management of privacy data and the subsequent breach notification. GDPR rules require a loss or breach to be reported within 72 hours. This brings us to part 3 in our series which is “How to gain executive sponsorship for the GDPR compliance activities”.
In a lot of cases, information protection initiatives have floundered and been pushed down the priority list in place of ‘more important work items’. The involvement of senior management is vital to ensure that GDPR compliance is a success and potentially stalling information protection can be saved with it. Executive management must be engaged from the start of GDPR, initially with the fear of fines for non-compliance. However, a sponsor is required that will report to the board on progress, risk reporting and privacy locations. Once the sponsor is on board, they will appoint Data Protection Officers for business areas with privacy data storage and processing. The overall governance will define the processes for dealing with PIA, incidents and will also create and maintain the reporting and monitoring that is needed. GDPR is not a static event. As new partners are engaged, business directions change and M&A activity ensue, so the ongoing review of privacy data is required.
Let us not forget another important part of ensuring GDPR is understood in your organisation and that is training. As part of your information protection activities where awareness is critical, so GDPR activities to train, educate and inform the end users and appropriate partners of their responsibilities is vital. Incidents will happen where privacy data may be accessible to others and awareness will help to ensure that everyone follows the correct process. Be prepared for incidents early on to ensure that processes are adjusted to mitigate.
So, to summarise and with some key take away points, GDPR must be a joint group or business area compliance project. It is not just an IT, Marketing or Legal project and it must focus on people, processes and technology. Focus on key risks which maybe that you will be unable to fulfil customer requirements. The timeline is aggressive but not impossible but postponement is not an option.
The upside of this activity will be that you will have a better overview of systems and processes as well as how they interact. This will be an enabler for optimisation and efficiency improvements. You will foster customer confidence and loyalty as a trust worthy business. Overall, it can only facilitate business growth. So the next actions are that you align with your data protection program and review your strategies to include GDPR. As early as possible, determine your program and funding gaps and address with the sponsor. Use existing data mapping and conduct a gap analysis. Get your governance in place as soon as possible to develop the planning and roadmap. Then it is policies, guidelines and finally awareness.
If you need some help in preparing for the new GDPR regulations please get in touch to arrange your FREE 60-minute consultation.