It is now over eight months since the EU’s General Data Protection Regulation (GDPR) came into force, affecting all organisations that do business with EU citizens, however small the proportion of overall operations.
The frantic last-minute preparations are over and so too are the first tentative months, when organisations struggled to get to grips with new tools and processes. GDPR compliance should now be an integral and automatic part of business operations, not a complicated add-on. But is that the reality? What have we learned in the months since the rollout? Here are five key lessons we think you need to know about:
Lesson 1: GDPR compliance needs an ecosystem, not an individual organisation
Yes, your compliance depends overwhelmingly on the processes and technology you have in place within your own organisation. You need to get your house in order first, as the saying goes. But it is important to remember that third party partners and suppliers can also come under the scope of your own GDPR compliance – if you are sending personal data to them for processing, then how they handle and protect that data is critical. In short, you need to choose your partners and suppliers very carefully, scrutinising them for their approach to compliance – or you could be risking your own.
Lesson 2: In a ‘not if, but when’ world, the reporting requirement is key
It is impossible to guarantee 100% protection against cyberattacks and data breaches. Cybercriminals are continually developing their techniques, and human error within your organisation can never be mitigated entirely. As such, it is foolish to not pay attention to the GDPR requirement that all data breaches be reported to the appropriate body (the ICO, in the UK) within a set amount of time of the breach occurring. In this context, paying attention means having a clear and rehearsed process in place for capturing and transmitting relevant information pertaining to a data breach. Remember that a breach is liable to be an extremely stressful and busy time for the business as a whole.
Lesson 3: Standards overlap
The GDPR can, initially, seem to be presenting an overwhelmingly long and complicated list of demands. However, it is important to remember that other standards you need to comply with overlap substantially with those of the GDPR. BS 10012, the Personal Information Management System standard, for example, is very similar to the GDPR, so achieving compliance with both is not as arduous as you might think. The overlap also underlines just how sensible and useful many of the requirements of the GDPR are – they are not designed to trip you up, but rather to ensure the highest possible standards of personal data protection.
Lesson 4: It’s a journey, not a tick in a box
Unlike some other standards, GDPR compliance is not something you can achieve once, tick off your list and never think about again. It requires a continuous improvement approach, particularly as new third parties join your organisation (a reminder of the importance of lesson 1), new IT systems are deployed and new services and products are rolled out. The ways in which your organisation collects and harnesses personal data are very unlikely to stand still, particularly in an era of big data and artificial intelligence, so your approach to GDPR shouldn’t either.
Lesson 5: Centralised management is key to making all this easy
Given the dynamism and diversity of GDPR compliance, the fact that it never stands still, that you need to be constantly ready for responding to a data incident, and that third parties have a significant impact on your compliance, it is essential to have a comprehensive and centralised resource for managing your compliance processes. This is why we recently launched GDPR Manager, a cloud-based solution which manages a range of the most arduous elements of GDPR compliance smoothly and centrally.
With GDPR Manager, work is saved in a central location, making maintaining and updating documentation simple. The more of your GDPR compliance activities you can do on a single platform, the better – in terms of consistency of approach, time spent on user management, cost-effectiveness, etc.
To get in touch with us today to discuss how it can help your organisation manage these key GDPR lessons.
Use GDPR Manager for fast, efficient compliance