Implementing GDPR compliance program while also taking a business value approach

Media

Implementing GDPR compliance program while also taking a business value approach and addressing fundamental data governance needs

May 25th 2018, the GDPR milestone date, is now well in the past. And while GDPR has come and gone, the majority of companies continue to struggle with GDPR. The legal experts will have given their advice, consultants will have created the paperwork but most know with any given organization, that many of the fundamental issues continue to remain:

  • Who is responsible for maintaining the Data Register?
  • How do you keep it up-to-date as Business processes are changing?
  • Are we conducting quality DPIAs on our new business processes?
  • Are we complying with data retention policies?

And the list goes on.

Image

The Challenge

Data Trust Associates have implemented many GDPR programs across the different sectors. And, depending on the sector, the risk tolerance differed. In the case of this Customer, a well-known name in the Utility sector, they had a high demand on compliance with GDPR and to reuse our work across the group which were located in Belgium, The Netherlands, Germany and UK.

Our vision for GDPR compliance is that its principles should be at the core of any business project involving personal data. While most GDPR programs were initiated by a Legal or Compliance Team, the focus is rarely on data governance and implementation of technology to automatically enforce many of the principles that the legislation stipulates. Our 360° approach to the implementation of a GDPR Program contains the following key elements:

  • Readiness Assessment of the organization for GDPR

This involves the organization (people), the processes and surrounding environment and the technology environment capable of supporting compliance to GDPR

  • Gap Analysis of where the organization is vs. where it wants to be, taking into account risk tolerance, capabilities and budgets
  • Road Map of how to get to full compliance taking into account both the current and future landscapes and technology evolutions
  • Business Operating Model based on a standard framework to define the current business and supporting processes.
  • Implementation tracks to address the different GDPR areas such as:
    • Data Register
    • Data Subject Access Rights
    • Data Protection Impact Assessments
    • Policies
    • Technology supporting GDPR compliance
    • Training & Awareness

The Result

Most organizations do not make the link with ongoing GDPR compliance and the need to have a data governance structure in place, even if it is basic. Also, the majority of organizations think that once the project is finished, it’s done and forget the fact that:

  • That privacy laws continue to change to address new challenges either from the law or new technology challenges
  • Most people in an organization do not find data privacy and data protection sexy so turn a blind eye to it. Someone needs to keep an eye on compliance.

Our approach to addressing these and many other challenges is to provide:

  • DPO as a Service so that an independent body oversees compliance
  • Provide ongoing training to all people in the organization
  • Provide an annual Audit of the company for adherence to GDPR through our Data Protection Audit framework.

Apart from these services, our constant mantra is to put basic data governance in place and to address the key issues from that perspective. This helped to take the pressure off of the legal teams and distribute it across the organization which involves IT, Business, Marketing, Finance and HE departments 

(key performance indicators) 

  • Heatmap to indicate levels of compliance
  • 85% of people within the organization are trained in GDPR
  • Use of technology to support the DataRegister
  • Implementation of a Business Operating Model
  • Creation of a Data Governance group
  • Great Management Awareness of how to become a compliant data driven organisation