Done nothing for GDPR? It's never too late...

Updated 23th May 2018.

GDPR means it's a new era for EU citizens. This new EU data protection law aims at ensuring that processing of personal data is fair and lawful. It is designed to give effect to the fundamental right to privacy.

The first points I want to make is that GDPR is a good thing:

Introduction to GDPR

To keep this post short, GDPR is mainly the enforcement of 6 data privacy principles:

In addition, you need to justify why you hold Personal Data under what are called the lawful bases for processing. These are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

Between you and I, I would have chosen a different order, because consent is the last thing you want to rely on, since consent can be withdrawn. Legitimate interest needs to be justified, so it needs to be carefully used.

Rumours

You may have heard that:

You will probably hear a lot less:

Setting a goal?

After reading the regulation, I came to the conclusion that 72h was the goal to reach to demonstrate compliance: prepare for a data breach.

Because when you do, you probably solve 90% of the compliance.

I acknowledge you want to avoid the breach, but if the breach occurs you'll be glad you have listened to my advice, let me explain:

If there is a breach, you need to demonstrate you took all measures to prevent it. Demonstrate means "document" (Article 30). A breach is not necessarily someone hacking your company network. It could be a staff member losing their briefcase with a laptop or not in it.

What type of documentation is needed?

Please take a quick look at the 6 principles again, and try to figure out what principle you'll be able to comply with by documenting.

Planning

Because I am a good guy, I'll share some tips to speed up.

Becoming conscious

GDPR should not be seen as a burden. It may be short-term, but your business will benefit in the long-term.

Senior management must think differently. I honestly think that if the business approach is not lead by example from senior management, it will fail. The company must adopt a "privacy first" type attitude.

GDPR is an opportunity to broadcast to the world that your business actually cares about the people it deals with. It's a Customer Relationship opportunity.

Inventory

There are several inventories to carry out:

Rather than trying to isolate things that handle personal data, do an inclusive inventory using a tool like Bizoneo and filter afterwards. Also, identify the location of each piece of the inventory.

Bizoneo allow the centralisation of the inventory. When the inventory is complete, you can assign people in the organisation to investigate each piece one by one. Once again, the advantage of the database is that multiple people can maintain data, and all the data is stored in place, making it very easy for the person in charge of data protection to review the gaps.

Data mapping

You will draw diagrams of the data workflow. You can use Powerpoint to start, but there are dedicated tools for this such as Pencil   or Visio.

In the diagram, there are start and end actions. In between, you need to put a block for each action, arrows to show the flow, and with each block, how the data is stored.

The diagram will also be split by responsibility, so each block is under the responsibility of a "process owner".

Sample basic workflow

(The diagram will be replaced shortly by a better example)

Gap analysis

From the diagram and the inventory, you will be able to document "data-points". This will help you identify if the personal data should be there or not, as you need to justify its presence.

At that stage, it should be clearer what to do. If not, that's when you can get a truly knowledgeable person to help.

You can read the whole GDPR, but start by looking at the 6 principles and the lawfulness of processing.

The key additional things to worry about are:

Privacy policies

Under GDPR, the privacy policy describes in details how your business handles personal data. You will probably need multiple privacy policy: HR, clients, prospects, 

Privacy policies are the conclusion of the inventory carried out. 

It's also why it's much easier for businesses that have used a tool such as Bizoneo to write theirs and keep them up to date.

How to choose someone to help?

Have a conversation with the person. Gauge their experience handling data and their ability to understand your business.

Conclusion

Go on, take a deep breath and go for it.

Going the GDPR compliance way will -in the medium to long run- give your business an extra competitive advantage: caring about privacy.

No need to call "Ghostbusters"... But if you are still confused, why not talk to a specialist (a real one)? It will cost you some money, but you will be well equiped.

- Claude Saulnier
Brand Ambassador - Bizoneo