The May 25th GDPR deadline has been and gone. The good news is that nobody died. The bad news is that many businesses are only just starting to think about preparing for compliance!
At our recent GDPR Preparation Workshops in April and May, our attendees had lots of questions about:
- Dealing with 3rd parties
- How to decide on retention periods
- Staff training
- Data minimisation
- Creating a Personal Data Inventory
- Dealing with Subject Access Requests
- Understanding the sanctions and penalties
…but one area that really struck a chord was “how do I do this and still do my day job?”, an interesting and pertinent point that those in the room appeared to empathise with.
Many it seems have been given the task of “sorting out GDPR” for their business, and for some, the more they do, the more they become the responsible and accountable person for it. Whilst some are happy to take on the extra responsibility, and others are contemplating where they need or want a DPO, others feel ill prepared for the extra tasks.
It’s worth considering that not everyone will need a Data Protection Officer (DPO). You’ll only need one if you meet any one of the following:
- Process sensitive data or data relating to criminal convictions and offenses.
- Are a public authority such as a university, state school or publicly funded entity
- Regularly monitor or process data on a large scale from EU citizens
There doesn’t appear to be any guidance on what constitutes “large scale” though…..so unless it is obvious, organisations that don’t need to appoint a DPO should keep records of their decision-making process. Current guidance suggests that it will be still be good practice to appoint a DPO in some cases; for example, where private organisations carry out public tasks.
Crucially, anyone taking on the role of DPO must be a true expert on the GDPR. Key DPO responsibilities are:
- Inform/advise the controller or the processor and employees of their obligations
- monitor compliance with the GDPR
- assignment of responsibilities, training and awareness and related audits;
- advice on DPIA activities and performance
- cooperate with the ICO
- act as the contact point for the ICO on issues relating to the processing of personal data
What our groups did seem to agree with though is that this is a time for whole-organisation culture change. All staff need to understand GDPR and regular training will help, but it’s revised processes, good practice and a shared, common approach that will truly enable Privacy By Design. Without everyone understanding the GDPR and building an enabling culture, it might be easy for the old practices to slip back in.
So, where do you start if you’re taking on GDPR….?
Follow Purple’s guide below to get you started:
People are still talking about GDPR, swapping stories, approaches and questions is a great place to start gathering information and doing some research. Planning is always key, and getting a working party or staff group together will help to foster that all-important internal buy-in and culture change. Putting GDPR on your staff meeting agenda helps to make sure that it’s not forgotten and that you’re reaching everyone.
Use your Personal Data Inventory as a great opportunity to stamp out practices that you know are inefficient…do you really need all that data in off-site storage….? Are you duplicating effort between teams by having siloed, duplicate data sources?
- Get support from your colleagues
- Do your research and ask questions
- Consider whether you need a DPO
- Make a plan and follow it
You need to ensure that staff have been supported and that they don’t feel on their own or in the dark. Support from your Boards and Senior Management Team will help to get cyber security on the radar and regular updates to them will make sure that it’s repeatedly considered and not forgotten. When you broadcast your efforts to your staff community, do it as one team, as a company, as part of a cultural change…..not a lone voice.