This is a guest post by Solitaire Associate, Robert Toogood and first appeared on his website, www.projectsystemssupport.com.
When did you first hear about the General Data Protection Regulation (GDPR) legislation and the need to comply with it by May 2018?
Was it recently or possibly many months ago, when the legislation was formally adopted by the European Parliament in April 2016? On the other hand, GDPR compliance activities might have been on your organisation’s radar even earlier than that.
There is a good chance you have already heard something about GDPR although you may have become overwhelmed with it all, hoping that the inconvenience of having to comply would conveniently and quietly go away.
But then you might be reading this article as someone who is working for one of the few organisations that have already started their GDPR implementation activities and are on track to achieving compliance by May 2018.
It is now clear that the legal requirement for your organisation to comply with GDPR is not going to go away and the associated end date is not going to change either.
If you have still not started your implementation activities yet, the risk of non-compliance is therefore significantly increasing, both for your organisation and its investors.
GDPR is not something to fear.
It presents many opportunities to add value to and protect your business, provided you open your mind to the important point that it is not just another piece of technical compliance work you give to your IT people; it is a fundamental change to the way we handle data within our organisations.
We must also remember that this is the first major revision of data protection and privacy legislation for over twenty years or so. If properly implemented, it will present many opportunities for better protecting both individuals and organisations in our ever-increasing digital and interconnected world.
As the UK Information Commissioner, Elizabeth Denham, emphasised in a recent speech, accountability is a key change under GDPR. She went on to add “It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”
If you haven’t done so already, the time has now come to face reality and accept the complexity of what is needed within your organisation to comply with this incredibly challenging but exciting piece of legislation.
The complexity needs to be managed with care since the implications of non-compliance by May 2018 are significant, with those accountable in the boardroom in scope for potential criminal prosecution, as well as the already widely publicised potential 4% of turnover fine and associated reputational damage.
However, it is still not clear that this accountability is truly understood by many boards, as reflected by the number of GDPR programmes that have still yet to start or are woefully underfunded.
So what is needed?
The first step is to setup up a programme on an enterprise-wide basis to manage your implementation activities. Strong boardroom sponsorship involving all key stakeholder groups within your organisation is needed.
The second step is to structure your programme by deciding whether to use an already implemented methodology, or by selecting a more appropriate one to help direct your critical privacy related activities.
The third step is to then tailor your selected methodology to reflect the realities of the organisational environment in which it is being used, and to integrate any associated privacy related frameworks and supporting tools which are also needed for your organisation.
The fourth step is to plan your programme involving all key stakeholders and the way in which you have decided to organise your programme activities.
The fifth step is to launch your programme and support it with an appropriate level of resource (and funding) given the challenges that the programme faces within your organisation.
The challenges each organisation will face will be unique, reflecting a rich and varied mix of different factors including:
- gaps with existing legislation;
- existing and planned system landscape;
- technical infrastructure;
- implemented methodologies, frameworks and standards;
- sector regulatory requirements;
- governance, risk and compliance maturity;
- external certifications.
A further requirement for achieving GDPR compliance is to adopt a risk based approach. This is actively encouraged by the legislation but requires other things to be in place for this to work effectively. What is best for your organisation will depend on many factors.
What does of all this mean for you?
It means that it is important to include within your GDPR programme people who have the depth and breadth of expertise, both within IT and the business, that can work across the total organisation, building bridges if required between different functional groups and siloes that haven’t traditionally work together.
These people need to be able to see the bigger picture of what is needed based on their experiences in the real-world dealing with similar project, systems and risk challenges. They need to understand and simplify complexity, addressing the inevitable ambiguity that will be present amongst these implementation activities… helping you connect the proverbial dots to ensure you meet your legal obligations in the most appropriate and efficient way for your organisation.
In the final analysis, it is people who will determine whether a GDPR implementation is successful or not.
Only by recognising this fundamental point, will an organisation move beyond GDPR as a box ticking compliance activity to something that will really add value to the organisation by changing its data culture, enabling it to more effectively compete in the new and exciting digital age.
Where are you on your GDPR implementation journey?
To discuss these challenges further and their relevance to your own organisation, please contact us to schedule a completely confidential and no-obligation discussion.
Robert Toogood is an independent project, systems and risk expert who has recently been awarded an MSc in Risk Management (Distinction). He is also a member of the Project Management Institute (PMI), International Association of Privacy Professionals (IAPP), Information Systems Audit and Control Association (ISACA), and Association for Project Management (APM). In support of our growing interest in GDPR, we have now launched DATA-Tight, a new consultancy service, specifically aimed at helping organisations cope with the increasing amount of complex legislation relating to data protection and privacy. By leveraging our extensive real-world programme management experience and expertise, our clients benefit from a bespoke advisory service which will help them to comply with the legislation in a more tightly co-ordinated and cost efficient way.