We have exactly one year to go. On 25 May 2018 the new European General Data Protection Regulation will take effect. It will bite down on businesses across Europe like a Pit Bull mauling its favourite toy. So, what should we be doing to achieve GDPR compliance?
One thing you should not be doing, for sure, is ignoring GDPR. This is not one of those things that will just go away if we close our eyes. Burying our heads in the sand might work for a while alright (a year!), but once we have passed that magic date next year, if, for instance, one of our customers asks us to tell them what data we hold on them and what we plan to do with it and we can’t respond within 72 hours or can’t give a comprehensive answer, we could be in line for an eye-watering fine. €20M or 4% of our… Global… Turnover… (Not local gross profit!)… And it’s whichever is the GREATER!
There are lots of other ways we can fall foul of the new Regulation… We could have insufficient security, fail to report a data breach, communicate with customers without sufficient permissions in place, transfer data recklessly, fail to appoint a Chief Data Officer… There are any number of ways to screw up, but the purpose of this post is not to detail those… There are plenty of other ways to find that out. The Irish Data Protection Commissioners themselves have published an excellent document entitled, “GDPR and You – Preparing for 2018” which is available at www.dataprotection.ie.
No. This post is about the 12 month countdown and how to use it.
The new Regulation is going to affect every business that controls or processes data in Ireland and across Europe and what with the digital economy and web data and CRM and loyalty schemes and digital marketing and all, that means, I would think, most businesses. Even SMEs are not excluded in the new Regulation.
So, back to the question… If GDPR is going to affect so many of us, what should we all be doing?
We’ve got 12 months. Here’s what I suggest… Make a plan!
Weeks 1-6
The top priority is to put GDPR compliance at the top of your agenda. Ensure that everyone in your organisation knows it is coming and that it will affect you. In particular get the Senior Management Team to see the business case for taking GDPR compliance seriously and for allocating some budget and resources to it. Be aware that data touches almost everyone in your organisation, so apart from the Senior Management Team you may need a lot of people to become involved: IT, Customer Services, Sales & Marketing, CRM, The Web Team, Legal, Compliance, HR (employee records contain personal data too!), Finance etc. etc. Assuming this will require meetings and that it is (almost) the worst time of year to get people in the same room, let’s allow 6 weeks for this.
Weeks 7-16
Commission a GDPR audit to see how far you are away from compliance and what you need to do to achieve it. Assuming that it takes four weeks to research and get budgetary sign-off, two weeks to organise with the auditors and four weeks for the auditors to do their work and produce their report, that’s 10 weeks… See how the time flies!
Weeks 17-20
Ruminate on the auditors’ report. This is actually essential. Take time to absorb what the auditors have come back with, what the implications are for the business. Get all the relevant people in the room again, break down the work that needs to be done, allocate roles and responsibilities and develop a plan for the remaining time. Allow 4 weeks.
Weeks 21-23
Develop a brief or a tender document or documents for the work you need to do to achieve compliance… I am assuming there will be some work to do to achieve GDPR compliance… This might be for internal teams (IT for instance) or external vendors, but whichever it is, it is essential to lay out clearly what needs to be done and to do it formally. The bones of the content should be in our GDPR Auditors’ report, so we should push ourselves to do this in 3 weeks.
Weeks 24-29
Invite responses to the tender(s). This will, no doubt involve (internal or external) meetings and briefing sessions… And we have to give the vendors and/or internal teams time to respond and build in time to assess those responses. So, again, this will take time. Allow 6 weeks.
We’re just over half way there… And it’s Christmas! Well it’s Friday 15 December… So forget about the next two weeks… We’ll pick things up in the New Year… But try to appoint your data tech partner(s) before you ‘break up’ for Christmas so that you can hit the ground running in January.
Weeks 30-31 – Christmas!
We have 21 full weeks left between Monday 01 Jan and Friday 25 May 2018. We will lose a week of that to Bank Holidays: Paddy’s Day, Easter etc. So, it’s 20 weeks. We won’t want to plan it to the wire incase there are unforeseen technical issues and other hold-ups. So, let’s agree we are aiming for the end of April. It’s 17 weeks then.
Allow 1 week to initiate the project(s) at the beginning of January and 2 weeks of testing and 2 weeks of training on any new systems and infrastructure at the end of the implementation. That leaves 12 weeks of intense work to build or modify the systems you will need in place to be compliant. Isn’t it interesting how 12 months can so easily become 12 weeks when we look realistically at what needs to be done and the time we will need to do it in?
The message is clear. If we haven’t already started, we need to start immediately. To borrow a phrase that is used in conservation circles in relation to planting trees… The best time to begin working towards GDPR compliance was a year ago. The second best time is now!
To book a GDPR audit, visit our GDPR page. Contact us via our Contact page.
Author: Tim France
Date: May 2017