As the calendar rapidly counts down towards 25th May 2018, organisations are trying to speed up their GDPR compliance programmes. One frustration that is regularly expressed is that the 12-step guidance put out by the ICO is not clear enough. So are there alternatives which might better serve the purpose?
Alcoholics Anonymous has probably the most famous 12-step programme in the world. It might not seem the obvious place to look for an insight into data protection guidance. But let me try to persuade you. Within the Regulation, much of the detail is around how the law is to be implemented and enforced, emphasising that there is only one rule and set of regulators to be obeyed. The AA has a similar balance with its religious dimension, but here are five of its steps that play in data protection as well as they do in rehab:
We admit that we are powerless - this is a common reaction in the face of GDPR with a general sense of helplessness that the law is changing and organisations do not know what to do about it. The first step towards compliance is to accept this - the law is changing and your organisation’s data strategy will have to as well.
We believe there is a power greater than us - quite clearly, this is Elizabeth Denham who, as Information Commissioner, will be busy next year working through her naughty list. Her prime targets will be organisations who have not accepted that GDPR is a higher power and believe they can continue to behave the way they always have.
We have made a searching and fearless moral inventory - a data audit, by any other name. As with rehab, the key to compliance is finding where any “data sins” are hidden and bringing them to light. It may be uncomfortable to acknowledge them, but it will ensure they are not repeated.
We have made amends to people we have harmed - if you are wondering what data deletion and the right to be forgotten will be like in practice, here it is. What you do not want is to be on the end of a class action because of the harm caused by a breach of GDPR rules, so better to make amends directly and early in the compliance process.
We have had a spiritual awakening and practice these principles in our affairs - the end point for a GDPR programme should be an organisational culture that lives the principles of the Regulation, rather than sees them as an adjustment to be made at the end of the planning process for a business activity.
What Alcoholics Anonymous advises its members as a way to break their addiction is certainly not legal advice for achieving GDPR compliance. But there are worse ways to set about a programme than trying to adopt a set of beliefs and behaviours, rather than finding legal boxes to tick.