What we can learn from GDPR
Having assisted numerous companies with GDPR assessments and implementations, we have the opportunity to understand what approaches companies are taking, and where the pitfalls lie. Rather than looking at the requirements again, we wanted to highlight the 11 most common mistakes we’re regularly encountering, which are not restricted to GDPR projects alone.
In our experience, very few companies initially understand the scope of the problem. It is usually seen as a costly compliance issue that can be relegated to compliance, IT, information security or a related department. Consequently, the scope is underestimated, and the effort is under-resourced. The problem is compounded by GDPR being used as a means to sell often inappropriate, or even irrelevant, solutions.
The good news is it’s not too late to get on track. GDPR is not about simply ticking a compliance box. It’s an on-going process that we all need to keep learning from.
If you would like to find out more about how Performanta can help you with your GDPR project and beyond, please contact us here.
Top 11 pitfalls to avoid:
#1: Starting too late
The most common reason for starting too late is not knowing who should be allocated the responsibility of owning GDPR compliance. There are still companies who have not yet started addressing the problem; why would you if you didn’t know it was yours to fix? When it is allocated to a person/department, those individuals are often so engaged in fulfilling their day-to-day obligations that the programme languishes until there is a realisation that the deadline is imminent.
#2: DIY GDPR
In order to address GDPR, you need to have a comprehensive set of skills, ranging from regulatory to information risk management, IT, information security and business process analysis. As the deadline approaches, those who have chosen to do it themselves, often find the complexity hard to navigate and start to look for outside assistance. In cases where the responsibility has been allocated internally, the individual has tended to focus through the lens of their skillset and experience, often missing the larger picture.
#3: Everyone’s an expert
Everywhere you turn, everyone claims to be a GDPR expert, making it hard to know where to turn when you need additional help. If you really want to succeed in the space you need to be sure that you’re dealing with the right partner – and that means a company that has successfully done implementations, not just assessments.
#4: Allocating GDPR to IT
More than a third of companies we have worked with initially allocated the resolution of GDPR compliance to IT. In these cases, the Board misunderstood the problem, and until GDPR is recognised as a business issue, it will not achieve proper attention. More than once, having taken the IT manager through the implementation framework, they have requested that we meet with the Board to explain. Until this shift happens, only a fraction of the required solution will be implemented.
#5: Using best practice standards as a guide
As with many regulations, GDPR tells you what must be achieved but not how to do it. In organisations where the problem is addressed by legal or compliance, there tends to be a focus on only one aspect of the requirements, with very little consideration for the remaining needs. The end result is that key controls are not considered.
#6: Addressing GDPR in isolation
While GDPR is gaining a lot of attention, it exists within a landscape of related ICT regulations. Some of these may even appear to contradict, such as regulations pertaining to monitoring. In order to ensure compliance to all the regulations, it is necessary to initiate the programme by examining the regulatory landscape in its totality, harmonising the requirements.
#7: A team of one
It is difficult to say how many times we have been approached by an individual within an organisation who has been tasked with addressing GDPR on their own, often while fulfilling day-to-day duties. The reality is that GDPR will affect most aspects of the business. It cannot be dealt with by one individual, but requires an orchestrated, budgeted and supported programme of activities.
Furthermore, the skillsets required are broad, ranging from legal, through information risk management, to IT and information security. It is unlikely that any one individual will understand the full scope of the problem and have the capability to address every aspect. The reality is that most departments in the organisation should be involved as the solution must integrate into the existing structures and processes such as risk management, audit and reporting.
#8: Misunderstanding the scope – past, present and future
Companies often focus exclusively on one population of personal data, most frequently that of their client base. Aside from forgetting about the staff requirement, companies don’t always consider the implications of sharing with or receiving personal data from third parties. It is only during discussions that we tend to unearth the existence of personal data which had not being considered.
When dealing with personal data, one needs to consider the past, present and future states of this data. As an example, an individual may apply for a position within an organisation and provide them with their resume. Even if the position is not taken up, once that document enters the organisation, it falls under the ambit of the regulation. A five-year old resume lying in the bottom drawer of the HR department is as relevant to GDPR as current HR records. Equally, if personal data is provided when responding to a tender (whether that bid is successful or not), the tender documentation must be secured for the duration of its existence.
It is worth undertaking a discovery exercise to identify what personal data resides within the organisation, including both hard and soft copy forms of the documentation.
#9: The impact of third party contracts
It is common practice to utilise cloud-based third-party services to process personal data. While the responsibility for processing has moved, the accountability for compliance has not. Generally, one would handle this contractually; however, this is only viable when the organisation is the senior partner in the negotiation; large multinationals will not modify their contracts to satisfy your requirements.
It is desirable to impose controls on the service provider, such as the right to audit or access controls to the personal data. Where this cannot be done, the organisation must consider implementing additional controls such as encryption, or even consider utilising an alternative service provider - should the risk warrant this drastic an approach.
#10: Policies for policies sake
It is very common for organisations to create – but not implement – policies. Without taking the effort to embed policy statements, they are only documents, of little value other than evidence in disciplinary procedures.
#11: One-dimensional problem
Too many clients view GDPR as a legal, one-dimensional compliance problem. The reality is that it is tested in every business operation that collates or processes personal data. It can be a daunting task, but it is worth identifying, documenting and reviewing the core processes that utilise personal data in order to ensure that:
- The collection of data is performed in a legal manner
- The processing of data maintains confidentiality
This is the operational expression of ‘privacy by design’; processes must be performed in a compliant manner. Unfortunately, many existing business processes have weaknesses that could lead to information breaches, particularly when dealing with paper. Larger organisations often struggle to identify all of their processes and are unable to provide any assurance regarding their level of compliance.
Finally, GDPR requires that organisations implement processes which almost certainly do not exist today. As an example, the right to be forgotten will invoke the processes that include:
- A determination whether it is legal to delete the data subject information
- A communication process with the data subject
- Potentially a communication process with the Information Commissioner
- A personal data deletion process; assuming that the location of the personal data is understood (and bear in mind this includes data stored as a hardcopy!)