What’s in your GDPR grab bag? You know, the things you will reach for urgently if it turns out on 25th May that your compliance programme has been less of a sure foundation and is more of a burning platform. Although a key message delivered by Philip James, partner in law firm Sheridan’s, at last week’s fourth DataIQ GDPR Impact series was, “nobody panic - there is still time and the world is not going to end,” he also recognised that many organisations are a long way behind the curve.
Third-party research suggests the gap between intention and completion remains considerable - one survey found 49% of consumers had yet to receive repermissioning emails, while another found just 31% of websites were compliant. Perhaps not surprisingly, a Netapp study heard that 74% of UK decision-makers don’t believe they will be compliant in time.
For that reason, James considered the issue of the GDPR grab bag, “if panic has set in - what should be in it?” His first piece of advice was to focus on what your organisation can control, such as contractual arrangements with third-parties, especially IT. If cloud-based services are relied on, the business needs to understand what the terms and conditions are and how that supplier is planning to meet the requirements of the Regulation.
“Don’t forget the ICO’s website - don’t pay a lawyer to regurgitate it.”
“Create a data processing spreadsheet and use it as a template for new suppliers and as a record for existing suppliers,” he advised. Key questions to answer in this process include how data is backed up, what security measures are in place and how often they are tested.
The importance of having a plan and documentation, as well as identifying what data is held, where it is processed and who is responsible, is at the heart of any last-minute preparation,”even if it is just one page,`` he said. Perhaps the simplest piece of advice he offered was also the most surprising: “Don’t forget the ICO’s website and its toolkit - don’t pay a lawyer to regurgitate it.”
If many organisations have struggled to prepare for GDPR, even with a two-year transition period, then one reason may be the sheer range of activities which compliance programmes need to undertake. Few business functions will remain unaffected, from those which are directly customer-facing via those which manage and rely on personal information right up to finance and the board.
8.9% of companies say they are only preparing in broad terms.
As the DataIQ GDPR Impact research, carried out in association with Experian, discovered, some of these activities are more obvious starting points than others. Half of organisations report that they have done Data Protection Impact Assessments and reviewed their privacy notices, whereas only one in six have drawn up Binding Corporate Rules for data transfers. The group which should be really worried on 25th May, however, is the 8.9% which says it is only preparing in broad terms. The ICO is likely to come looking for specific evidence that businesses are showing a willingness to adapt to the law and to respect the new consumer rights it grants.
After all, one of the most important things to remember about the new Regulation is that, “even when you have completed your compliance programme, GDPR doesn’t just end,” pointed out Paul Malyon, data strategy manager at Experian.
Nowhere is this truer than around data accuracy - Article 5.1(d) specifically mandates that personal information must be kept up-to-date. “You have to take reasonable steps to maintan accuracy - 47.1% of companies say they currently use customer data matching and enhancement, with 29.4% saying they would consider using this,” said Malyon.
A much bigger gap exists around planning for a data breach, specifically having an external partner contracted to respond. Malyon stressed how important it is to address this aspect of GDPR preparation urgently: “Most organisations don’t have a plan in place, but breaches are inevitable. Have a plan, test it and have a partner to help you - and get insurance.”
He outlined the four-stage maturity curve that Experian has identified across its client base and the processes which underpin each one. Critically, at level three (proactive), organisations start to recognise that GDPR is an opportunity, while at level four (optimal), GDPR has become business as usual.
“A living document is a useful thing to be able to show the Regulator.”
Malyon’s own packing list for emergency compliance included enabling customer access to their data, having a subject access request process that is as automated as possible, defining retention policies, and having clearly defined purposes for which data is being collected and permission to process it sort. “You should have a living document of all your data types and the departments that have access to it,” he said. “That is a very useful thing to be able to show the Regulator.”
Business leaders could be forgiven for the sound of ticking clocks becoming deafening in the next three weeks as an increasing number of advisers and vendors emphasis how time is running out. But the message which Malyon offered is that there are reliable, proven tools to help you get ready. And as James pointed out, readiness relies on being prepared to do something, rather than sitting frozen in fear: “Don’t sit with your head in your hands thinking it is all too much.”
The fourth research report in the DataIQ GDPR Impact series, “Readiness”, produced in association with Experian, is available for download here.