Planning for GDPR compliance
At the time of writing, it's just over one year to go until the GDPR (General Data Protection Regulation) comes fully into force across the EU. By May 2018, we are also to have new data protection legislation in place in the Isle of Man that is – if not identical – in all essentials equivalent to the GDPR. These changes will affect any Isle of Man organisation that handles personal information about individuals, regardless of size.
All indications are that compliance with the new legislation will be expected from day one. For those organisations that are compliant with the current Data Protection Act, GDPR compliance should not be overly burdensome. However, our experience indicates that many local organisations are far from compliant with parts of the existing legislation, meaning that they have a lot to do to close the gap between the current state and where they need to be by May next year.
So, with a year left in which to prepare, what should you be focusing on? With much to be done, and time and resource likely to be tight, taking the right approach from the outset is key. Our experience of working with clients on GDPR remediation projects has highlighted several steps that should always be undertaken before you start formulating a GDPR remediation plan.
1. Know your starting point
Do you know what you are doing well at the moment, and where you may have gaps?
The GDPR brings enhancements of existing data protection legislation (particularly in the area of individual rights), as well as new requirements (such as incorporating privacy by design and default into your business processes). Unless you have full visibility of the current state of your data privacy framework, you will find it difficult to assess the extent of the work that will be required to achieve compliance with the GDPR.
2. Understand your risk profile
Many of the requirements of the GDPR require a proportionate response to the risks inherent in the personal data you are processing, the nature and scope of the processing activities, and the risks to the rights and freedoms of the data subject. When carrying out an initial risk assessment, you should be taking into consideration:
- the nature and volume of personal information processed across your business functions
- the risks to the data subjects arising from your processing activities
- the jurisdictions in which you operate
- potential penalties you could incur if you get it wrong, including reputational damage; and
- your own risk appetite
3. Develop your vision and strategy for GDPR compliance
An articulated vision for GDPR compliance will enable you to identify the matters that are most important to you, and not get lost in trying to deal with technical points of legal compliance.
Developing a vision can be as straightforward as deciding whether you are aiming for simple legal compliance, or aiming to differentiate yourselves by adopting best practice, even when this goes beyond what the law requires. Your decisions at this stage should set the tone and the expectations for the entire project, and will guide any decisions regarding the nature or extent of work to be carried out to ensure you meet your GDPR compliance objectives.
Once you have developed a vision for your desired end state, then you can put in place a strategy to deliver that vision and the structures through which this will occur.
4. Plan for business as usual
There is no merit in creating a complex privacy programme if you do not have the resource to maintain, monitor and assess the output. You must be capable of sustaining and monitoring whatever you put in place, either through your existing compliance programme or as an extension to it. If you do not plan for 'business as usual', you risk wasting time and resource.
Throughout this process, it is important to realise that there is no 'one-size-fits-all' solution to GDPR compliance. What works for the organisation next door won't necessarily be right for you, and vice versa. What is important is achieving a clear vision and tailored approach for your organisation, so you can ensure that any remediation work you undertake will be aligned to your business objectives and priorities.
And with only 52 weeks to go (or less by the time you're reading this), you can't afford to waste time getting it wrong.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.