The MetaCompliance team have just wrapped up their GDPR for Dummies roadshow across the UK and Europe. It was a huge success and we were delighted to help many organisations with their GDPR journey. We discovered from the feedback at the roadshows that businesses still have a lot of unanswered questions, fear and practical problems implementing GDPR within their organisations.
The questions follow a common theme. What business areas should you focus on, what GDPR articles are more important than others? What department should be responsible for the GDPR project?
To make progress MetaCompliance have developed a methodology for implementing GDPR. This methodology formed the basis of what would later become the Dummies Guide to GDPR.
The approach within the Dummies Guide provides a well thought out and practical “how to guide” for GDPR. It really is the A to Z of putting a GDPR project in place.
Within every organisation there is some type of digital transformation project or initiative for the development of new revenue streams. The best GDPR programs are those that you can connect to a digital transformation initiative.
GDPR requires there to be privacy by design. It should be a key part of all new processes and systems within your organisation. At the very least by trying to engage in digital transformation discussions, you make the GDPR requirements more attractive to business managers. By speaking of GDPR in terms of in a digital transformation discussion, you are making it easier for business people to understand.
In terms of the discussion with your organisation, what senior leaders require from their GDPR team as soon as possible is three pieces of information:
- How bad is it? What high risks do we have?
- How much is it going to take to fix?
- How long is it going to take to fix?
The key to a successful GDPR project is to get this information to the senior management and obtain the necessary resources or risk acceptance. Because the real challenge of GDPR is not the discovery phase. It’s the remediation phase. As most modern, sizeable organisations have more high risk data processing activities than they have the time or resources to resolve in the short term.
GDPR is a team game. The key to successful GDPR program is to make sure that you bring everyone in your organisation with you. This means providing the correct training for each role, by providing finance staff with different training to those people in the IT department. Both sets of staff have key roles to play in your GDPR project.
A number of companies have found the Dummies Guide to GDPR to be a great training tool. Particularly for those staff, that prove difficult to engage with eLearning.
Like it or not, GDPR is about the potential of financial sanction. From the outset you should be preparing for the possibility of having to satisfy a Regulator. This will mean providing detailing evidence of what you did to comply with GDPR.
The objective is to have GDPR as part of your business as usual. Living with GDPR will mean attending to subject access requests and responding to any incidents.
Some organisations have used a spreadsheet in their initial data gathering. However they are not are suitable means to manage your GDPR program going forward. A better approach is to have a system that becomes your single source of truth for GDPR.
MetaPrivacy allows you to structure your GDPR project in a way that makes for easier management and the ability to demonstrate compliance.