With the EU's General Data Protection (GDPR) less than a year away, we asked the experts for the top tips for achieving GDPR compliance.
Getting started and understanding the business impact
With the regulation deadline less than a year away, Brian Honan (@BrianHonan), CEO of BH Consulting, says it’s time for businesses of all shapes and sizes to get started with their GDPR compliance plans.
“Start looking at GDPR now and how it will impact your business. It comes into effect in less than a year and it is important that you have everything in place before that May 25th 2018 deadline,” he explains.
This comment on timeliness was echoed by IDC analyst Duncan Brown (@duncanwbrown), who simply says: “Top tips? Start. Too many firms still have their heads in the sand or think [GDPR] doesn’t apply to them.”
He goes onto add that firms must then accelerate their plans by prioritizing what is important: “Find the areas that need urgent attention and focus on these. This may be driven by gaps in process coverage or the sensitivity of data, for example.
“Prepare for a lifestyle change; GDPR is not a crash diet project that has an end, it requires companies to change behaviour permanently.”
Penny Jones, principal analyst at 451 Research (@451Research), agrees, adding that understanding the regulation, and how it impacts your business, is key. “Companies need to start doing all they can to understand – even if it is their own interpretation of GDPR – what the regulation stipulates they must do to be compliant.
“They then need to document all the processes they have in place to become or remain compliant, as this will help them if any future cases regarding GDPR are raised by the Data Protection Authority in their jurisdiction or if a case comes before the courts. Until cases do arise in the European Court of Justice or under jurisdiction of local regulatory bodies, much of GDPR will be down to interpretation. A company is best protected at this point in time if they can prove they have taken the steps they deem important for compliance.”
Neira Jones (@neirajones), a technology advisor and consultant, who was formerly director of payment security for Barclaycard, adds that those preparing for GDPR must start by looking at how the regulation works alongside other industry regulations, especially as some of these may cover requirements outlined in GDPR.
“Don’t look at GDPR in isolation, look at it alongside regulations such as the Payments Services Directive (especially for security and authentication), the fourth Anti-Money Laundering Directive (especially KYC and authentication identification), the e-Privacy Directive (which is Lex Specialis to the GDPR), Privacy Shield and PCI DSS.
“Looking at all these holistically for the security/financial crime aspects will derive many synergies and economies of scale. Organizations may find that they are already doing a lot towards compliance.”
Appointing a Data Protection Officer
On the most urgent priorities, Honan adds: “Key areas to consider are who will be your Data Protection Officer [this is not mandatory except for some organizations, but could be beneficial in certain cases – Ed], how will you build Privacy by Design into your products and/or services, and how well prepared are you to detect and respond to a data protection breach relating to personal information.”
While appointing a Data Protection Officer (DPO) is not mandatory under the new regulation, some suggest they could be helpful in improving a firm’s data protection posture.
“Assign power and responsibility to a Data Protection Officer with direct access to the board,” advises Edward Lucas (@edwardlucas), senior editor at The Economist, when asked for his recommendation on starting out with GDPR.
Cleaning data and building trust key to GDPR compliance
“My top tip for GDPR compliance is to make sure that, before you do anything else, you understand your ‘data estate’,” says Dan Hedley, senior associate at Irwin Mitchell (@irwinmitchell).
“By that I mean what data you have, who it’s about, where it comes from, why you need it, what you do with it, where it’s stored, who else it’s shared with, how you keep it up to date, how long you keep it for, what you’ve told people about all of those things and how you’ve told them. Until you establish those basic facts, you won’t even be able to start with the process of compliance because you won’t be able to tell what you need to do in order to become compliant.”
Neira Jones agrees on analysing the data being collected and stored, adding: “If you don’t need it don’t collect it: minimise the data you collect, protect what’s left accordingly and have a sensible retention policy.”
Rowenna Fielding (@Missig_geek), data protection lead at Protecture Limited, adds: “Forget ticking ‘compliance’ boxes and start treating personal data the same way your organization treats money – know where it comes from, who’s using it, for what, where it’s kept and where it goes. Then compliance – and good customer experience – should come naturally.”
“GDPR is an opportunity to clean up house,” says Elliott Haworth (@ElliottDHaworth), business features writer at City A.M., who has written extensively on the subject.
“A good place to start is with system-wide data mapping: knowing what personal data is held within your business and where it is stored will make any access requests simpler to handle. Once you understand what you have, ask yourself why, or if, you need it? What are you using it for? If there is no immediate answer, delete it. You’re going to need explicit consent for every bit of data you hold, and the less you have, the easier that will be.
“I think probably the most important part of becoming GDPR compliant is being honest,” argues privacy activist Alexander Hanff (@alexanderhanff), CEO and founder of Think Privacy.
“If you are not honest with yourself about the data you collect, your intentions for processing and retention, and whether or not you actually need that data in the first place, you are going to struggle to ever be compliant. One of the best processes to do this is a privacy impact assessment, but again it must be based on complete honesty.
“But honesty is about much more than introspection – you need to be honest with your privacy officers/data protection officers as well. They are not developers, they are not marketers, they need your honesty to do their job and if you are not honest with them, again you will face problems with compliance.”
Hanff goes onto add that this honesty should extend to updating privacy policies and in conversations with regulators in the event of a breach.
Holistic risk assessments and clear communications
Stewart Room (@stewartroom), global head of cybersecurity and data protection at PwC Legal, believes organisations need to take a holistic approach to GDPR compliance: “The key to success is to take a risk-based approach to prioritization of the GDPR programme. This needs a basis for holistic risk assessments that go beyond simple matters of legal compliance risk. Entities should consider the likelihood of adverse scrutiny and the forms that it may take. That will point entities to their future burning platforms.”
“My top tip, for a global company like ours, is focus on brilliant, effective engagement and tailored communications, with all required internal and external stakeholders impacted by GDPR.”
Internally, Roberts says this should include marketers, legal, IT, HR and procurement, filtering down to all employees globally. However, he also notes that firms should focus on external parties, such as agencies, system integrators and – critically – regulatory bodies, like the ICO.