Taking an Holistic Approach to New Privacy Laws
It’s less than three months until the General Data Protection Regulation (GDPR) comes into force on 25 May 2018. In this article Dominic Fisher, a senior manager in Deloitte Malta’s Risk and Regulatory Advisory Services team, describes why a holistic appr
retailers, wholesalers, hotels, healthcare providers and IT, telecoms and gaming companies. Are there differences between what we’re finding needs to be done at these diverse organisations? Absolutely, enormous differences. However, one common factor is the need for a holistic approach.
The Danger of Piecemeal Project Management
Coming from a family of architects, one of our favourite insults for an ugly modern building is that “it looks like it was designed by a committee”. Similarly, a piecemeal approach to organisation architectural redesign is likely to result in a mess. We’re finding that the implications of GDPR are far reaching for many organisations. An approach, only or overly, focused on one aspect (e.g. the legal or technological) is likely to leave you exposed.
While it is human nature for people to say “Just tell me what I need to do to be compliant”, it is also very common for clients to ask us “Am I allowed to do this?”, or query “Is this system compliant?”. Usually, it’s best to take a step back. The reality is that compliance has a number of dimensions. This ‘whack a mole’ approach is not the desirable solution.
GDPR Readiness Project Components
Any GDPR project should initially involve an awareness raising session. While this should at least be directed towards senior management, we recommend widening this to include key staff in departments most affected by GDPR such as marketing, HR and IT. As well as achieving ‘buy in’ around the importance of the Regulation, these sessions should be used to introduce the principles of the GDPR to get your teams’ creative juices flowing around what GDPR specifically means for them and their department.
These sessions can also help with detailed scoping work which would usually involve a number of ‘discovery’ meetings. These meetings, which are intended to identify the aspects of the business presenting the greatest privacy risks, often raise to the surface the proverbial needles in a haystack. For example, in a recent discovery meeting, we found that an overseas bank may have access to sales invoices containing personal data due to invoice factoring arrangements. Certainly an area for further work.
Following these meetings, one would be in a much better position to begin a full GDPR readiness assessment. The assessment tool you deploy should be comprehensive in terms of the scope of the Regulation and it is important that this readiness work is performed in the context of your operations. For example, it is usual to restrict the ‘in scope’ business processes to those where preliminary analysis reveals that the privacy risks are greatest – e.g. where sensitive personal data is gathered. This assessment should establish a privacy baseline and develop a suitably tailored GDPR implementation programme.
For more granular insights, these assessments can be complemented by the compilation of data inventories. Data inventories are in any case a de facto requirement of the regulation, as they can be used to fulfil the obligation set out in Article 30 of the GDPR to ‘maintain a record of all (personal data) processing activity’.
Findings from the readiness work should be organised into a logical action plan to provide a clear picture on how to achieve compliance.
Final thoughts
Tools, templates and IT solutions are helpful, but could also offer a false sense of security. Numerous approaches can be taken to achieve compliance and the sensible route should also be guided by commercial acumen. Also, in order to obey the spirit of the law as well as the letter of the law, there will be occasions when human expertise will be required. Your GDPR team should be very familiar with, and guided by, the seven Principles set out in Article 5 of the Regulation.
Achieving compliance is one thing, maintaining it is another. If, like many other organisations, you are using external expertise to plan and execute a GDPR readiness project, you should make sure that this plan involves effective knowledge transfer. This can be done by ensuring that external consultants work closely with selected members of your team and arranging that the readiness tools and templates that are used are also provided for future use. Done well, your GDPR programme should streamline the data you hold, providing you with better control over a key organisational asset. Dominic Fisher is a senior manager in risk and regulatory advisory at Deloitte Malta. For more information, please visit www.deloitte.com/mt/gdpr