GDPR- Where do I start?

For the IASME Consortium’s March update on the General Data Protection Regulations, we talk to GDPR Practitioner, Peter Loomes, who will be working part-time with IASME.  Peter’s input provides us with another expert angle to our regular GDPR updates.

We are pleased to say that Peter’s input will be in addition to our co-operation with law firm Harrison Clark Rickerbys (HCR).  Peter will provide practical implementation advice to our Blogs whilst HCR will continue to provide a legal perspective.

Last month, HCR gave insight to some of the detail behind the headlines, this month Peter Loomes helps us look at preparing a business for GDPR.

IASME – Peter, welcome.  It sounds like there is much to do to prepare for GDPR, If I’m just beginning to look at compliance, where should I start?

PRL: The Information Commissioners Office (ICO) has an excellent 12 step guide to implementing GDPR, https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf.  It says the first step is Awareness i.e. informing the key people in your organisation about GDPR.  I would tend to disagree with this slightly and suggest starting with step 2: Understanding the information you hold.

I say this simply because going to your CEO and saying GPDR is coming will probably solicit a response of ‘so what’ and ‘it’s a year off yet’.  However, if you know the data your organisation holds, where it came from, where it resides and where it goes to, you can put more scope around the statement.  For example, it would be more convincing to say to your CEO that GDPR is only a year away and we need to look at the processes around the management of personal data held in cloud storage which is hosted across the Far East.

IASME: – Some organisations will hold far more data than others and it may be difficult for some organisations to understand exactly what data they do hold.  How do you go about understanding an organisation’s data?

PRL: There are many books written on the subject but, being the simple soul I am, I look at the business flow of the organisation. I follow the flow and at each stage I examine what data is accessed and where it comes from. I look at what data is generated and where that data is transmitted to.  This then gives details of what data I hold and where that data flows into, across, and out of, the business. This step would apply for all organisations, regardless of size and the amount of data they hold.

It is powerful stuff.  I have never known a data analysis exercise that hasn’t resulted in people asking the question: why are we doing that?  In one organisation, I discovered a person developing a monthly report that was never looked at!  Cutting out that report saved the organisation £30k per annum.

IASME: – GDPR will require preparation and actions from all businesses regardless of their starting position.  This could be viewed as more red tape for businesses however, your previous answer suggests there are also opportunities?

PRL:  Absolutely there are.

There is a reason we have been given a long lead in time to the implementation of GDPR.  Of course, some companies may be fortunate enough to have processes and procedures which already comply.  Chances are however, all business will need to make some changes; as a very minimum they must review current processes against the GDPR requirements and address any shortfalls.

GDPR is also an opportunity.  It’s an opportunity to look at how a business functions by reviewing both your data, its flows and your processes.  It is never a bad thing to occasionally stand back, look at what you have and what you do: then question it.  I am sure there will be opportunities for efficiencies and, maybe, an opportunity to further enhance the customer experience!  Do you really need all the data you currently hold?  Is the data you hold now obsolete? Can your processes be streamlined? Do your current processes leave you exposed to any vulnerabilities? Etc.

Reviews must first and foremost be used to check your compliance against the GDPR itself however, use it as an excuse to see what you can do better or more efficiently. I am sure many organisations will reduce the amount of data they hold and streamline, or even eradicate, dated processes.  There’s a saving In itself.

IASME: – Talk of savings is great, and a bonus, however we have gone off on a bit of tangent from talking about the first things to do for GDPR compliance?

PRL:  Well not really.  Understanding your data is a good first step as it will also give you an idea of scope.  That will then inform your next step which is about informing your organisation.  Armed with this information you can start to develop messages that are pertinent to the Board Room, managers and operational staff. Getting your board communicating the right messages to the right people is very important if you are to comply with GDPR.

I would suggest that over the next couple of months, if you understand your data and you have your board committed – you will be on track.

IASME: – So if I do this will I be compliant with GDPR?

PRL: Unfortunately no, though you will have made a good start. This is just the beginning of quite a long journey.  In the first question, I said the ICO has a 12-step guide, if you get this far you are under 20% of the way there.  That is why the ICO is suggesting organisations start to look at this now.  From the point of getting your board and staff ‘on song’ you will need to: Look at how you manage privacy notices, develop and implement policies for managing individuals rights etc.