REUTERS | Molly Riley

Six key questions when building a GDPR compliance programme

I started in the role of Chief Privacy Officer role at Pearson very recently, though I have been in the Legal team for eighteen years. I have been blessed with a wealth of resources at my disposal: a central Data Privacy Office team, policies for each area of the business, an incident response toolkit, an established privacy impact assessment process, memberships of various expert bodies and access to training and knowledge resources. I realise that probably makes me very lucky amongst many of you.

But even with the backing of good infrastructure, making best use of resources is key. So what have been the next steps?

Tone from the top is key, as with all compliance. So, getting the right governance in place has been a priority for me.

It has also been a real opportunity to innovate, focusing in on the problems colleagues have around me relating to data privacy, and how to help solve them, leading to improvements in how we do things overall. This approach helps to build collaborative relationships with colleagues, who will then be more willing to support future initiatives for your privacy work, in what becomes a virtuous circle.

Then there is the task of deciding what areas should you focus most energy on. This is by no means a comprehensive guide but, based on my experience, here are six key questions to have in mind.

  1. Does your board take GDPR, and data privacy generally, seriously enough? Make sure you have support at the highest level of the organisation to send a clear message that data privacy is important for everyone. Consider whether having an audit might raise the kind of flags that would help secure increased board-level support – don’t be afraid of one! Put solid governance in place such as a cross-function steering committee. Build a network of data privacy contacts in all parts of the company.
  2. Where are your supporters?  How can you help them be more effective at spreading the word? Find people in the product team, technology, marketing and HR and help them embed good practice. The concepts of ‘privacy by design’ and ‘privacy by default’ are helpfully part of GDPR so give you the licence to go and insert yourself early on in every data processing activity. You may find one team is doing something particularly well that would work elsewhere too. For us, that’s a set of data-privacy-related JIRA Epics that can be replicated in various development processes in the business – a much more useful tool for a number of colleagues than a spreadsheet or word document.
  3. Where are the areas of biggest risk? If you don’t know, you’ll need to find out. A data inventory exercise is daunting but there’s a wealth of information out there on how to do it. Talk to colleagues to find out what’s already available. If you do not have access to technological solutions to do it for you, and have to resort to old-fashioned surveys and questionnaires, view the data-gathering exercise as an opportunity to raise awareness with respondents. Look also at your incident management processes, to make sure you’re ready to catch data breaches – it will also help you identify areas where patterns arise and which may need your focus (for example, emails going astray, unencrypted laptops being used and bad information sharing practices).
  4. What are you asking colleagues to do that takes up time? Can you find ways to make those things easier? We have a privacy impact assessment process already well adopted by the business. But it’s clunky, and doesn’t help us build useful data very easily. It often requires several follow up meetings to get it properly completed. So we’re implementing some new software and being very focused on making sure the questions are as plain-English as possible; and that the answers that come out then point to clear, practical guidance and actions that require ideally no or minimal support from my team or others. This means we can focus on the higher risk projects. For example: (i) provide links to specific guidance on marketing, automated decision making, consent, specific considerations around children’s data and vendor management processes through your intranet or other sharing tool; (ii) develop relevant template country guidance for those countries where data transfer is an issue; and (iii) provide template data protection language for contracts, consents and notices so the central team/specialists can spread the work.
  5. What repeat questions are coming in? Work on clear guidance to answer those in a way that can then be useful for others too. Develop specific training to address these issues. Build FAQs and keep them updated. Think about creative ways to develop guidance like flow charts or diagrams, or interactive tools if available. Use survey apps to engage colleagues when delivering training.
  6. What are other organisations doing? There is often no need to reinvent the wheel. I have found the network of data privacy professionals to be amazingly generous and supportive in the first six months of this role. It is particularly useful to connect with non-lawyers who think differently about problems to provide another perspective. Having information about best practice elsewhere through these contacts is very reassuring. LinkedIn in particular has been phenomenally helpful – follow the leaders of the well-known industry groups, and the best known specialist lawyers, then watch who they respect and follow them too.

And, from my perspective, a final important step is letting go of being the expert all of the time and thinking you can do everything centrally. Lawyers are trained to be perfectionists and to focus on inputs (time recording) rather than outputs. Running a privacy programme, especially with a particular deadline like one focused on GDPR compliance, requires a different mindset. You need all the help you can get!

For further information, see EU General Data Protection Regulation toolkit and Legal update, ICO warns businesses to prepare with one year to go until the GDPR.

Catie Sheret

Leave a Reply

Your email address will not be published. Required fields are marked *