Wherever you are on your GDPR journey, the 5 steps detailed below must be completed and can provide a useful checklist for progress. This is based on several years’ experience we’ve had supporting the PII data requirements of global organisations.
- Assemble a Cross Business Team
A successful GDPR initiative needs a number of different roles from across the Business and IT including, but not limited to, the following:
|Compliance||The compliance team are responsible for defining the scope of the GDPR data for an organisation and also the allowed usages for GDPR data, i.e. defining the legal basis for use across the organisation. Compliance are also responsible for analysing the information returned and ensuring that remediation is put in place.|
|GDPR Coordinator||The GDPR coordinator is responsible for ensuring that each business unit provides the detail of the data they process, the purpose and the applications used. They should brief Business Units, coordinate and QA the information returned and manage queries.|
|Business Units||The Business Units are responsible for providing the detail of the data they process, the purpose and the applications used for their business area, accurately and completely.|
|IT||The IT teams are responsible for providing the detail of the applications and systems they are responsible for, accurately and completely.|
|Project Manager||Create plan, coordinate resources, manage dates and deliverables and provide senior management reporting.|
|Analyst||The analyst is responsible for analysing and modelling the data received from IT and the Business Units, for example, ensuring there are no duplicates, and providing this to compliance in a format that they can utilise to manage GDPR.|
- Define the Data in Scope for GDPR and Define the Allowed Data Uses
The data that is in scope for GDPR will vary from industry to industry, and organisation to organisation and each organisation must, therefore, define the data in scope for them. They must also define the data that is allowed to be used for each business purpose and whether or not consent is required. We would recommend doing this before the fact-finding exercise as it provides a structure and minimises the possibility of duplication and data gaps.
- Get the Business Teams to Provide detailed GDPR Data
The Business Teams will need to provide the data on their processes, purpose, data and applications used. Additionally, IT will need to provide information on the data held in databases, where the databases are stored and located and the security surrounding both the applications and the underlying technology. There will need to be a standard means of capturing this detail to ensure consistency, so make sure the business have clarity on what they are doing – utilise your Data in Scope for this. Once this data is provided, a central team should QA and analyse the data to ensure it provides an overall view of the business situation regarding GDPR.
- Gap Analysis and Action Plan
A gap analysis and action plan should be created to work towards GDPR compliance. An ongoing process should be created to ensure this is an on-going exercise that continually demonstrates compliance. Engage both the business and the IT teams in defining this process.
- Report to the Regulator
The regulator will need to see evidence that you are on top of the new regulations; you will need to demonstrate that you have assessed your organisation against the new regulations, that you understand where you are compliant and that you have a plan in place to rectify any issues. They will also want you to demonstrate that you have a plan in place to manage GDPR as on-going commitment within your organisation, i.e. people, processes, technology, changes.
EAS have formed a partnership with UST Global and released the Essential GDPR pack, which enables organisations to understand their GDPR compliance adherence and risk from both a business and an IT perspective. The objective of the tool is to demonstrate to both your CEO and the Regulator that the GDPR position is understood and under control; this is achieved through a series of interactive dashboards and detailed views that can be viewed online or printed out to suit the needs of both key stakeholders.
Our feedback indicates that whilst organisations have assembled teams and started data capture, many are proposing to manage GDPR compliance in a series of spreadsheets. It is our experience that this is not sustainable; with such a large and constantly changing data set it is almost impossible to collect and structure the data in such a way as to answer all the regulators questions whilst keeping pace with change. A GDPR tool with a comprehensive meta model, repository and adaptable viewer, allied to a very structured data capture process, makes this task achievable and, in fact, allows the data captured to be used to support other initiatives such as data management, application portfolio management and so on, enabling organisations to make use of the data that must be captured for GDPR.
EAS, in partnership with UST Global, can accelerate your GDPR initiative by bringing our combined experience and the Essential GDPR pack to:
- Work with you to create a detailed plan to help you gear your organisation’s GDPR initiative for success, including the roles and responsibilities required across the business.
- Work with your Compliance Team, or external organisations such as solicitors, to accelerate your initiative by providing quick starts based on our experience of the scope of GDPR data applicable to your organisation, and a business model that will aid understanding of allowed data usage.
- Provide a set of pre-defined Questionnaires and Online Forms that direct the capture and analysis of the business and IT data required from your organisation. Work with you to create a process to keep this data up to date.
- UST Global, our partner, provides an automated data discovery tool that finds GDPR data in your databases and document stores, covering both structured and unstructured data such as PDFs. The results can be automatically loaded into Essential GDPR to supplement the manual data discovery carried out by business and IT teams to enable greater accuracy and accelerate the process. The UST tool can also support the “Right to be Forgotten’ requirement, highlighting all the instances where a person exists across your organisation.
- Essential GDPR provides powerful dashboards and visualisations to your GDPR data, allowing you to proactively manage your GDPR compliance and demonstrate to both your CEO and the Regulator that you are in control of your GDPR exposure, highlighting where you are compliant, where you have issues and where your risks lie.
- Allow you to utilise the data that you have collected for GDPR to provide additional benefits across your organisation, such as identification of rationalisation opportunities, etc.