We caught up with Outset GDPR expert, Kevin Nolan, and spoke with him about the key things businesses should be considering in preparation for GDPR, and what he has discovered through helping businesses with their compliance.
Kevin, you’ve been assisting businesses with preparing for the implementation of GDPR for some months now. What key trends are you discovering?
What is becoming clear is that businesses are not prepared for GDPR and in most cases not really compliant with the existing data protection act (DPA) as it stands at the moment.
As a result the companies have a lot to now do in a short space of time to be compliant with the new regulation.
For those that are compliant with the DPA, the gaps will be more around the working to be compliant with the changes including data breaches, subject access requests and privacy statements, and the confusing issues over consent. Even those that are claiming compliance with current DPA have been found to have limitations with being able to demonstrate a compliance framework being in place that is visible and clear and known to staff. The new regulation has this as a core requirement as governance and accountability are essential to protection of data.
You’ve previously mentioned that a working group meeting is a sensible place for any organisation to start looking at GDPR – why do you say this?
Initially doing an audit or gap analysis shows some of the fundamental changes required to meet compliance. However what we are finding is that a more informal process that enables people in the business to share what has been done to get ready for GDPR up to that point is proving to be really worthwhile in identifying gaps or steps needed to take before doing an audit. This helps build a much clearer understanding of what is required, including governance and accountability and often shows areas that had not been previously considered. It is a mistake for senior managers to just ‘assume’ they are complying they need to demonstrate how it is working in practice and how it is evidenced that they take privacy protection seriously.
Therefore to do an audit straightaway generally results in a set of negative results because the company had not adopted a project approach to compliance. This can be quite frustrating for some businesses when the gaps are highlighted. By starting with a working group, and having open discussion of where the company are, clear gaps can often be identified and then in most cases steps can be taken before an audit is commenced – this makes better use of budget and people’s time and nearly always has positive outcomes and improves understanding. Most companies go away from a working group with a fuller awareness of what needs to happen and who will be accountable for these. We can then support the client in achieving these next steps prior to an audit.
We do not say ‘don’t do an audit’, however by just having an audit as the first step the client often receives a set of results that are too often reflective of their limited understanding of the new regulation, which can be complex.
Through participating in a working group and where expert advice is provided, the business is able to identify and clarify their next steps, and some of these will be quite easy to implement, when otherwise they were considering much more complex or time intensive solutions. This means that when a business chooses to conduct an audit at a later point they are already scoring positively.
What do you believe are the common misconceptions about GDPR?
Consent appears to be the main one. There’s still a lot of confusion around how consent is going to work, and how to manage consent internally and externally; that and not grasping the importance of privacy statements. There are straightforward things you can do externally to communicate your compliance, however if you are starting from scratch internally to develop an appropriate compliance framework it can be a longer burn that requires policies, procedures and processes; from an external perspective you can demonstrate compliance more quickly – although you need the underpinning framework to support it.
In simple terms it boils down to:
Making all your data subjects aware of how you collect, and share their data – be transparent.
This means that if you are using consent as lawful basis, then make sure you ask at the earliest opportunity; or define a different basis for using the data.
Internally, since consent is in most cases not an option, I (the business) still have an obligation to make you aware of how your data is going to be used and why; so I should use an internal privacy statement to inform colleagues about their data use.
What 3 things should an organisation seek to have in place before the 25th May?
The Information Commissioner’s Office (ICO) has templates/examples of documentation, however these have to be tailored for your business so each will be unique to your organisation – this is why businesses need some expertise and understanding of how you use and control data, data flow mapping as mentioned by the ICO will be key to understanding this; without it, a business often does not know how it will control its data.
So in summary your recommendation to businesses would be to start with a working group to identify priorities, which potentially will lead onto either data flow mapping or an audit, then into construction of governance documentation.
Yes and a number of internal policies need to be reviewed and updated to comply with the regulations, and in some cases new policies will need to be created as part of your ‘new’ compliance framework. Remember there will be on-going compliance activity post the 25th May including monitoring, recording and responding to data subject privacy issues. It does not stop on the 25th May 2018 because you have put some steps in place – there needs to be commitment from the top down.
Want to know more?
Working group costs start at £300 +VAT per hour, capped at £1,000 +VAT for one day (subject to location)
Click HERE to view our support (guide and videos) and services for GDPR
Call: 01622 759900