It's less than four months to go until the European Union General Data Protection Regulation (GDPR) comes into force to boost individual privacy. By now, organisations should have almost everything in place to comply with the new regulation. But as the GDPR will transform how data is collected, managed and used – affecting every part of the business – we’ve found progress across industry has been slow.
That’s because you need the involvement of all business functions to ensure solutions meet the needs of a wide range of stakeholders. Yet decision-making is often left to senior leadership who have limited understanding of the detailed processes of compliance.
When we work on GDPR and privacy initiatives, we ask organisations to get creative to break the design and implementation logjam. One great way to do this is to set up GDPR accelerator teams.
These teams, made up of five or six people from privacy, compliance/legal, IT, and other key business functions, should be deployed in bursts of three to five weeks. To speed up design and decision-making, each team tackles a key area – the most important of which are:
We’ve seen a lot of organisations struggle with this foundation step. Integrating data protection impact assessments (DPIA) in the design of business processes, IT assets and third party contracts should be seamless. You’ll need to create a legally acceptable DPIA solution (compliant with Article 35 of the GDPR) and embed it in the core business and project governance mechanisms so all new initiatives have privacy as part of their design, rather than as an after-thought.
We’ve seen organisations often have limited visibility of privacy notices that have been given to people through different channels. They also sometimes only have a partial understanding of the legitimate business purpose of processing personal data as part of different business activities. You should ensure the legitimate business purpose for processing personal data is determined quickly so you can update existing notices, or create new notices, for high-risk business activities.
With significant financial penalties for mismanaging data, as well as your reputation, your ability to continue to process data and customer trust at stake, you’ll need the right systems to identify and respond to data breaches. You’ll also need to be able to notify the regulators and individuals promptly. It is imperative that to facilitate this, a breach management toolkit that includes notification templates, checklists and communication plans is created to ensure that organisations are able to respond to breaches in a timely manner.
The GDPR is a game-changer. Learn how PA is helping clients make the most of this opportunity.
In our experience, making business activities, which typically span business processes, IT assets and third party contracts, compliant takes the most time. That’s because they require extensive collaboration and engagement. You’ll need to develop a coherent and consistent way to identify high-risk business activities based on the way personal data is processed, and their relevant remediation strategies. If you don’t, you could get overwhelmed by the volume of low-risk activities.
Under GDPR, individuals have more rights when it comes to their data. Fulfilling requests made under these rights will need new systems. For example, if someone wanted you to delete their data, you’ll need to be able to receive the request, authenticate the individual, validate their request against legal, statutory and regulatory requirements, triage it against the appropriate legal bases for processing the data, work with the business and IT to fulfil the request, and respond - all within a month.
To make sure these five areas are developed in alignment, privacy, compliance/legal and IT should be represented in all your GDPR accelerator teams. The other three or four members should be from business functions that are most likely to be impacted by the area being developed, like procurement, HR, marketing and sales. Finally, each team will also need leadership representation to ensure quick decision-making.
These accelerator teams will provide realistic recommendations to the leadership team. And as they have cross-functional representation, recommendations should be accepted more quickly. This means your GDPR accelerator teams will need to avoid becoming part of the implementation team, instead focusing on the big picture to find tactical solutions.
But remember, it will take more than these accelerator teams to comply with GDPR in full. Without cross-functional leadership support, starting from the board, organisations will struggle to transform themselves and keep people at the heart of personal data processing.