Whether you’re a beginner with GDPR or you’re quite advanced and just wanting a sanity check, we’re going to give you 10 Steps to GDPR Compliance to guide your journey. You can see the sister video to this blog post in Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
Cisco’s 2020 Data Privacy Benchmark Study said, in the UK, there’s a 3.5 times return on investment on Privacy spend – and we can really believe it. Stay with us to the end – we’ve got a fantastic Bonus Tip on how GDPR can become a revenue generator for you.
Step 1 has to be the Key People.
For your project to really succeed, you need someone at senior level, maybe even a board member, who doesn’t just ‘talk the talk’ but, by their actions, shows people that GDPR and Privacy is important to your organisation.
Next, you need the day-to-day Privacy Champion that people can turn to with their privacy issues. Then he or she is going to have training on GDPR and Privacy and really be in charge of the Privacy programme.
In small organisations, these two people may be the same person. And in larger organisations, you may be expanding this structure.
You can’t manage what you can’t measure, so Step 2 is to establish a benchmark, so you can score where you are and you can see how you progress.
GDPR is your ultimate benchmark, but you’ll be looking for a proxy for this that’s more workable. You’ll use this scoring system against your chosen benchmark to see where you are now and where the gaps are, so you can target remediation – and you’ll be coming back to this time and again.
Keepabl’s SaaS includes our BenchMark, integrated into instant scoring, and so do other providers. But Privacy’s very collaborative and we’re sure if you talk to other people in your situation, you’ll find everyone’s willing to share resources.
The single most important step in your Privacy Governance is establishing an inventory of the personal data that your organisation processes: your Data Map.
This, together with your benchmark is really going to drive your program. Your Data Map will tell you key information including:
And your Data Map is how you create your Article 30 Records, something all controllers and all processors must do under Article 30 of the GDPR. These records of processing are not the same as your full inventory, it’s more of a summary, but you need the inventory to be able to do those.
Keepabl’s SaaS makes creating your Data Map super simple and, as you go, we instantly create your Article 30 Records, both as controller and processor, and many more of your GDPR records and KPIs.
Now you’ve got everything coming together, you can start up systematic remediation and you’ll also know who should be on your team and what they’re going to need to do.
All of the next steps we’re talking about are part of this remediation phase, and you’ll keep coming back to your benchmark and to your Data Map all the way through.
And now with your Data Map under way, it’s a great time to draft up your risk assessments, which GDPR calls ‘impact assessments‘. There’s one that GDPR says you must do, called the Data Protection Impact Assessment, or DPIA, and that’s when there’s a likely high risk to individuals from your processing.
You’ll now bring all this together into your Privacy Framework, driven by your policies and procedures, all those different checklists and the audits you’re going to do, the training and awareness – this is everything you do to create your Privacy Governance and maintain it as a living thing.
These are also the ‘appropriate technical and organisational measures‘ that GDPR requires you to have not only to comply, but to be able to demonstrate that compliance.
And all of this is key for implementing ‘Data Protection by Design‘ and ‘Data Protection by Default‘. Data Protection by Design is essentially ensuring that you implement data protection principles at the outset of every project – they’re always considered. Data Protection by Default is that implementing those data protection principles is your default position.
And now you’ll be in a position to start finalising those Data Protection Impact Assessments, and you’ll also be in a position to decide if you need a Data Protection Officer, a DPO, or an EU Representative, and appoint them.
Now, you can’t have data protection without good security, it’s that fundamental, it’s one of GDPR’s seven principles.
And, for security, that familiar phrase ‘appropriate technical and organisational measures’ means you’re going to be looking at measures such as:
You’ll also need to prepare for personal data breaches – they will happen. Under GDPR, you must record them all, but you don’t need to notify them all. You need to implement a risk assessment procedure when there’s been a breach, so you can decide what the risk is to the individuals concerned.
But you need to act quickly: there’s only 72 hours to notify the regulators, so you need to have a response plan in place, and a team ready.
Data Subject Rights, or DSRs, have been greatly strengthened by GDPR and new ones have been added. DSRs don’t always need action by the data subjects, such as the right to be provided certain information. And they’re not all absolute so, for example, if someone withdraws consent to marketing, that’s an absolute and you have to comply, but others are not – you need to know what those conditions are.
GDPR’s DSRs include to:
Processors are the suppliers who process personal data on your behalf. Typical examples are CRM tools like Salesforce.com or HubSpot, or maybe a group member does payroll for all group companies.
You’ll need to identify all your processors, then prioritise that list so you can carry out due diligence, and put in place GDPR-compliant wording, starting with the highest risk first.
Before GDPR, processor wording was just a short paragraph in a contract and the required due diligence wasn’t so specified. GDPR clarifies what that due diligence should cover, and it’s a bit more involved. And the contract wording has now become a 3 to 6 page ‘Data Processing Addendum’. Thankfully, these are now pretty common. And we’ve a great checklist for you on each of the due diligence and the contract.
Yes, privacy notices were there before, but it’s one of those areas that’s been very much strengthened by GDPR. You’ll have to review all of these and make sure you’re including everything you need to and they reflect your current practices.
A great example of this is the cookie banner. You’ll have seen that, because GDPR beefed up consent, cookie banners have become much more intricate.
And the final step to make all this come alive: Training and Awareness.
Training and awareness means this whole Privacy Framework you’ve spent time building gets put into practice in the right way by the right people.
You’ll need to do an ‘All-hands’ training, and we recommend annually. The UK ICO’s ‘Report a Breach’ form actually does ask: ‘did the people involved have data protection training in the last two years?’, but we recommend an annual refresher and obviously train new joiners.
You’ll also want to train certain teams a little bit more in their area. So, Marketing, Investor Relations, these sort of teams will definitely need training on cookies, on cold calling, cold emailing. And IT and Security will need training on the breach response for example. Maybe Customer Support need training on recognising data subject rights.
And take the time to refresh security training too.
Here’s that Bonus Tip: Reaping the rewards from all of this hard work!
Don’t just put these great measures in place and leave them internal. Put these great measures in place and then prepare to show this, to demonstrate this, to third parties. Not because you have to, but because it’s a great way to overcome sales objections, it’s a great way to fly through investor due diligence and audits.
Create summary documents about your Data Protection practices and about your Information Security. Maybe you’ve got a network you want to describe, or your infrastructure? Believe us, these summary documents are worth their weight in gold and head off sales objections or due diligence follow ups before they even happen.
So there you go – 10 Steps to GDPR Compliance in less than 10 minutes! We hope you find this a useful framework to look at your Privacy Governance. We’ve also put links to the frameworks from the UK’s ICO, France’s CNIL and the European Commission below.
Please do take a look at our other blog posts and Privacy Kitchen‘s videos. Do get involved – use #PRIVACYKITCHEN to tell us the topics and questions you want us to cover.
And do contact us to see how Keepabl can help you put all this in place quickly and manage it with low stress levels!
Stay well in the meantime, and we look forward to seeing you in Privacy Kitchen again soon!
The difference between a controller and a processor under GDPR should be an easy topic, but it can even get Privacy professionals tied up in knots. Don’t worry if it’s…