I am often amazed at the capacity of our brain, the amount of “stuff” that it retains, how it recalls it and how it is able to able to consider endless possibilities with that “stuff”.
During the GDPR readiness workshops I’ve run with many of our SME clients, they’ve shown that they hold masses of information that they didn’t even know they knew…
In preparation for the workshops, business managers are asked to consider where they get personal data from, what they do with it, who might have access to it, how long they keep it and where they might send it. ‘That’s sounds simple enough” they say, and come along to the workshop confident they have all the questions answered.
But when it comes to data mapping things are rarely simple …
If you’re anything like me, you’ll find pictures are much more engaging than words. I like pictures to tell a story – drawing out relationships between people and organisations, sometimes linear, sometimes intertwining, often messy! During the workshops, when the whiteboard become less and less “white” and more and more filled with “stuff” – this is when brains are fired up and the deep dive explorations begin.
What about this? How does that work? As the facilitator, it’s our job to be curious. We ask the simple questions of “why?” and “how?”, persisting until, as a team, we are completely satisfied the questions have been accurately answered and all gaps filled in.
So why is this deep dive analysis important?
It’s important because under GDPR, it won’t be good enough to merely ‘tick the box’, and nor will it be acceptable to simply adopt nice new off-the-shelf “GDPR ready” documents.
To be compliant you will need to demonstrate that:
- You do what you say you are going to do; and
- What you say you are going to do reflects the REALITY of your business operations.
So, for example, if your Privacy Notice states that data is not processed outside the EEA – is this true? Who are your technology partners? Do you use cloud services? Do you know where these technology companies host their data and who might have remote access to it?
The GDPR requires completion of approximately 100 separate activities, including establishing appropriate policies, processes and contracts. This can seem an overwhelming task for experienced data privacy professionals, let alone business owners who have the unenviable task of trying to comply with GDPR without the luxury of a vast in-house legal team! By visually mapping out the data journey, the amount of retained “stuff” that comes to light is quite extraordinary and it becomes easier for an organisation to identify where to prioritise GDPR focus. You might not feel able to eat a whole elephant, but it is possible if carved into manageable bite-size chunks!
It’s a never-ending story
And you shouldn’t think that if you achieve compliance by the 25th May 2018 you’ve ticked the box and you can move on with other things. GDPR compliance will be an on going requirement and should, at all times, be ingrained into all of your business operations and programmes, being a key consideration for any business changes and for all documents, policies and contracts to be updated to reflect the latest reality.
If you’ve not yet started thinking about your GDPR compliance or if you have, but feel as if it is all rather overwhelming, then you would benefit from a detailed Analysis Workshop. This will help you with the first and most important step in your GPDR readiness programme – fully identifying the personal data flowing in and out of your organisation. It will also assist with the preparation of a tailored action plan to address areas that have been identified as ‘risks’ during the Analysis Workshop. Here’s what one of our clients said about a recent session with Fraser:
“The GDPR workshop was very useful. Fraser did a great job in assessing our needs, highlighting the risks, identifying appropriate solutions which we can implement, but still having a sensible attitude bearing in mind the size and complexity of our organisation. I would recommend to any business who is holding personal customer data to engage in a similar workshop. It’s money worth spent and gets straight down to identifying what’s necessary. Thank you Fraser!”– Stephanie Barwick, Chief Executive, Pulmonary Vascular Research Institute
Devant is helping many organisations with their GDPR compliance programmes. If you would be interested in us running a GPDR Analysis Workshop for you, then please do get in touch.
Principal Consultant, Devant