You’ve done the research, reviewed the requirements and now you know your organisation will be impacted by GDPR. But have you done enough to be compliant?
The regulation will come into effect in a year – the 25th May 2018 – and companies are facing pressure to be compliant in time. If you still have some work to do, our advice is that you take a systematic approach to assess your current position against the GDPR requirements to make sure you’re prepared.
GDPR Compliance Plan
Phase 1 – Preparation
This is the time to get top level management involved, allocate resources and budgets and set deadlines. You need to consider the GDPR requirements and allow adequate time and resources for the review, implementation and validation phases.
- Initiate a GDPR project board
- Agree a budget
- Allocate a dedicated resource
- Assign a board member to be sponsor
- Agree a strict deadline for completing the project
- Introduce a strict governance regime around the project lifecycle
- Define and agree GDPR Scope
Phase 2 – Review
A thorough analysis is needed to determine how much work will be involved for you to become compliant. You will need to review any processes, policies or procedures which relate to the capture, processing, storing and transmission of personally identifiable data.
- Personal Data Discovery to identify where you process personal data
- Compliance assessment to determine whether the personal data processing you perform is lawful in terms of the GDPR
- Perform a governance gap assessment against GDPR to find out if you have the people and processes in place to allow you to meet your legal obligations
- Outline remedial actions based on the compliance and gap assessment findings
Phase 3 – Implementation
You know where your gaps are and you’ve identified any weaknesses in your processes, now’s the time to take action.
It’s also important to make sure your employees are fully aware of their responsibilities. Establish a training and awareness programme to help to embed the best practices into operations ahead of the compliance deadline.
- Prioritise, assign and implement remedial actions
- GDPR Training and awareness program
Phase 4 – Validation of GDPR Compliance
You’ve implemented the changes and informed your employees of their role in data protection, now you need to check that the revised processes are working and that you are fully compliant.
Undertake an audit to ensure you’ve closed the gaps and implement a management programme to maintain compliance.
- Perform a verification audit
- Implement a GDPR Management programme
How long will it take to become compliant?
Phase 1 is relatively straight forward with negligible impact on existing business processes. Phase 2 depends on the complexity of your business and the processing it performs, as well as how effective your information management practices have been so far in providing a reliable catalogue of personal data use across the business.
Phase 3 will inevitably have a greater impact on the organisational structure and process and can take an average of 9 months to deliver based on a medium sized organisation with relatively simple business processes.
After the first 2 phases’ you will be able to gauge your organisational preparedness and will be able to determine how long the implementation phase might take. A there’s only a year until the regulation comes into force if, for any reason, you haven’t completed phase 3, the progress you’ve already made and the planned work for phases 3 and 4 will put your organisation in a better position to defend your preparedness for GDPR compliance. However, this is no guarantee that you will not be penalised for non-compliance.
With that in mind, the best way to avoid penalties is to find a way to prepare for GDPR while minimising the impact on your day-to-day business activities. You may be constrained by time, money and resources to get the process up and running but you need to consider whether the fines for failing to comply are worth the lack of investment now.
If you’re still not sure if you’ll be affected by GDPR, you’re unsure of what you need to do and don’t have the time or manpower to take action or if you simply want someone to take control and prepare you for the GDPR, we have the expertise to get you ready. Contact us to discuss how we can help you become compliant.