GDPR: Taking an Holistic Approach to New Privacy Laws

The GDPR pertains to personal data rebalancing privacy rights in favour of the individual, consequently placing new or enhanced requirements on public and private bodies. For example, come 25 May 2018 you will be able to lodge a ‘subject access request’ concerning the personal data an organisation holds on you. Such requests could be driven by any number of concerns. Maybe you’re worried that your old employer continues to keep sensitive medical information on you that they no longer need, or perhaps you want to know what information a retail outlet, which is sending unsolicited communication to you, holds on you.

Intensive Readiness Work

One year ago, the GDPR seemed like something on the distant horizon, and most of our discussions about GDPR were just that. With less than 100 days from ‘go live’, the time for speculation is over. Right now, many organisations are working hard to understand and fix their most critical gaps so as to achieve some level of compliance by the time the Regulation becomes effective. For a variety of reasons, many of these organisations have moved too slowly on their GDPR readiness work, but we are where we are and, even if you started late (or even yet to start!), the key thing is to get it right now.

Our GDPR specialists, who are drawn from business process experts, legal and regulatory and technological backgrounds, are currently working with banks, schools, retailers, wholesalers, hotels, healthcare providers and IT, telecoms and gaming companies. Are there differences between what we’re finding needs to be done at these diverse organisations? Absolutely, enormous differences. However, one common factor is the need for a holistic approach.

The Danger of Piecemeal Project Management

Coming from a family of architects, one of our favourite insults for an ugly modern building is that “it looks like it was designed by a committee”. Similarly, a piecemeal approach to organisation architectural redesign is likely to result in a mess. We’re finding that the implications of GDPR are far reaching for many organisations. An approach, only or overly, focused on one aspect (e.g. the legal or technological) is likely to leave you exposed.   

While it is human nature for people to say “Just tell me what I need to do to be compliant”, it is also very common for clients to ask us “Am I allowed to do this?”, or query “Is this system compliant?”. Usually, it’s best to take a step back. The reality is that compliance has a number of dimensions. This ‘whack a mole’ approach is not the desirable solution.

GDPR Readiness Project Components

Any GDPR project should initially involve an awareness raising session. While this should at least be directed towards senior management, we recommend widening this to include key staff in departments most affected by GDPR such as marketing, HR and IT. As well as achieving ‘buy in’ around the importance of the Regulation, these sessions should be used to introduce the principles of the GDPR to get your teams’ creative juices flowing around what GDPR specifically means for them and their department.

These sessions can also help with detailed scoping work which would usually involve a number of ‘discovery’ meetings. These meetings, which are intended to identify the aspects of the business presenting the greatest privacy risks, often raise to the surface the proverbial needles in a haystack. For example, in a recent discovery meeting, we found that an overseas bank may have access to sales invoices containing personal data due to invoice factoring arrangements. Certainly an area for further work.

Following these meetings, one would be in a much better position to begin a full GDPR readiness assessment. The assessment tool you deploy should be comprehensive in terms of the scope of the Regulation and it is important that this readiness work is performed in the context of your operations. For example, it is usual to restrict the ‘in scope’ business processes to those where preliminary analysis reveals that the privacy risks are greatest – e.g. where sensitive personal data is gathered. This assessment should establish a privacy baseline and develop a suitably tailored GDPR implementation programme.

For more granular insights, these assessments can be complemented by the compilation of data inventories. Data inventories are in any case a de facto requirement of the regulation, as they can be used to fulfil the obligation set out in Article 30 of the GDPR to ‘maintain a record of all (personal data) processing activity’.

Final thoughts

Tools, templates and IT solutions are helpful, but could also offer a false sense of security. Numerous approaches can be taken to achieve compliance and the sensible route should also be guided by commercial acumen. Also, in order to obey the spirit of the law as well as the letter of the law, there will be occasions when human expertise will be required. Your GDPR team should be very familiar with, and guided by, the seven Principles set out in Article 5 of the Regulation.

Achieving compliance is one thing, maintaining it is another. If, like many other organisations, you are using external expertise to plan and execute a GDPR readiness project, you should make sure that this plan involves effective knowledge transfer. This can be done by ensuring that external consultants work closely with selected members of your team and arranging that the readiness tools and templates that are used are also provided for future use. Done well, your GDPR programme should streamline the data you hold, providing you with better control over a key organisational asset.