Opinion

Compliant by design

Multi-disciplinary approach to GDPR Readiness

GDPR is a regulatory framework and organisations need to translate into practice this framework and associated legislation. As such getting ready for GDPR is essentially a technology-related business change. It requires the skills of a multi-disciplinary team, blending the knowledge of the leadership teams and managers responsible for business operations with expertise from legal, procurement, risk & compliance and information systems.

Tools at our disposal such as business and information architecture are ideally suited to operationalize GDPR. If used wisely, the effort devoted to GDPR can allow organisations to realise a range of further benefits. The timetable provides a valuable imperative to kick-start activities and build the momentum needed to effect change. Although it typically lands with compliance teams because of the regulatory angle, it is inherently about correctly handling information.

To address the requirements for GDPR, we see broadly the same approach proven with DPA and wider Information Security aspects, which treat the topic as information management best practice. GDPR is today’s imperative, largely due to the much higher levels of potential financial and criminal penalties. This has focussed management attention, provided a more compelling business case and released budgets. This approach applies for any organisation, although sector-specific factors will need to be taken into account to ensure a joined-up approach.

Know your data

Understand the information the organisation has, the purpose for which information is used and the processes involved. Although the attention of GDPR is personal and sensitive-personal information, organisations can take this opportunity to understand the range of information they handle, relate this to the business processes and roles within the organisation and the supply chain. This is the essence of business

Information management Policy

Define a policy for how to manage information across its lifecycle. Particularly where is relates to identifiable persons, clarity of defined roles and responsibilities is required. Retention rules need to relate to the business need and including steps for periodic review and destruction. The policies need to put into practice through processes and procedures, with supporting tools.

Governance

Establish processes for governance and assurance of regulatory requirements. Particularly the individual rights that are typically handled through a Subject Access Request and Consent Management processes – essentially a case management approach. Defining the decision-making process, roles and escalations is a refinement of the business architecture

Privacy by Design

Translate the principles of “Privacy by Design” into best practice guidance and where necessary architecture standards. Protection of information is an information security requirement, not just GDPR. Dealing with personal data brings some specific challenges particularly relating to potential need for anonymisation and the complexities of granting and potentially withdrawing consent at a granular level.

Information Sharing

Look at information sharing in other countries and with external parties. There are complexities and potential handovers, so prone to be a problem area. In particular lack of properly defined Information Sharing Agreements with 3rd parties

There are various considerations on how to put into operation. For example, PIAs on whole estate at the outset, according to a risk-based prioritisation or undertaken through regular change projects.

Skills & Capability Requirements

Area of interestSkills & capabilities needed
Understanding the information landscape
  • Mapping our information systems architecture, starting with stored and shared data
Defining organisational policies
  • Appreciation of the legislative requirements
  • Organisational/job design
Defining governance processes (e.g. the PIA process, subject access requests etc.)
  • Business analysis
  • Requirements specification
Third party information sharing agreements
  • Understanding of the wider information architecture
  • Legal/commercial skills to draft the ISAs
International aspects
  • Legal/commercial skills advice
  • Information architecture to address
Putting into practice
  • Support and coaching for in house teams to undertake detailed impact assessments on business systems
  • Corrective action determined by risk-based assessments of current estate (e.g. re-permissioning, explicit compliance)
  • Revisions to business system analysis, design and build processes to factor in privacy considerations
Potential non-compliance
  • Internal audit policies for periodic review
  • Engagement with regulators
  • Preparedness for enforcement action

What else does good information management help with?

Whilst the regulatory compliance driver is foremost in the preparation for GDPR, applying information management best practice is itself a differentiator in the market place. Ability to appropriately use and manage information is a core capability for any business. Whilst GDPR doesn’t provide an accreditation, business customers will need GDPR compliance to be demonstrated across their supply chain.

Furthermore, if an organisation is investing in GDPR, then done with vision it can greatly assist:

  • Preparation for digital transformation
  • Information security and cyber vulnerabilities
  • Rationalisation of organisation, process and technology
  • Addressing other regulatory compliance needs
  • Streamlining processes by better information sharing and collaboration internally and with partners
  • Positioning for M&A
  • Reduce IT spend through better use of information assets

This article was written by GDPR Auditing associate Bill Blackburn of the Process Renewal Group.

If you would like to know more about how GDPR Auditing can help your organisation with the EU-US Privacy Shield or the GDPR in general please contact us at info@gdprauditing.com or visit our contacts page.

The information provided in this post is for general information only and is not intended to provide legal advice.

© GDPR Auditing 2017.