GDPR, like MiFID II, AML4 and SOX, are all regulations that organisations are legally required to meet. As you ponder your approach to each, it is worth considering a ‘total compliance’ approach. Instead of focusing on each in a silo, total compliance focuses on creating a reusable approach that means you meet your requirements and save time, cost and effort on the way.
To illustrate we’ll use GDPR (as the most current regulation-of-focus) to outline the total compliance approach.
Becoming GDPR compliant
You know you need to be compliant by 18th May 2018, you know that GDPR represents a sizeable task and you know the pressure is on. So how do you know where to start? Which areas are more important (or risky) and should command your attention first? Which good practices you have in place today and should extend vs areas where practices are lax? How do you embed GDPR in the organisations core operations? How do you measure progress and prove compliance? And how do you convert the many checklists and recommendations into actions?
Start by getting the ICO GDPR checklist in hand (you’ve probably got it already, but just in case there’s a reminder below), read it thoroughly and ensure that you understand what is required of your organisation.
Source: ICO Preparing for the General Data Protection Regulation (GDPR)
At the same time, capture or gather your organisation’s current data protection policies and procedures.
Next, get your team together incl. business sponsor / chief privacy officer, data protection officer, functional heads (marketing, sales, customer service etc.), enterprise/business architects, platform owners and developers, business analysts and suppliers.
With the team on board, create a plan and get ready for some workshopping and collaboration (help this along by creating collaborative environment). Many of the activities that follow should be in your plan, but also consider your organisations unique needs and add additional tasks where necessary.
In your first workshop or in a series of mini-working groups, model how your organisation works today by:
- Capturing an overview of your organisation’s operating or capability model at business unit, function or department levels
- Highlighting the areas that customer data flows in and out of using forms/questionnaires, flow diagrams or customer journey maps
- Modelling the associated processes and visualising your data as it flow through the processes incl. highlighting the systems that process and store data, and the people and resources involved in the processes
Your first set of outputs should look something like the following:
Image A: example operating model
Image B: example process diagram
Image C: example data model
Once you have a view of the organisation today, you can start implementing GDPR compliance by:
- Overlaying GDPR requirements on processes (see below) to assess the impact, calculate any potential risks and the gap between the required and current state
Image D: example process with GDPR requirements overlaid
- Prioritising areas of focus based on themes such as risk, effort to bridge gaps, value to the customer, importance to the organisation
- Creating a roadmap of the priorities and order that you will work through them incl. running parallel streams if you have the resources and or reviewing your available resources if the workload to achieve the deadline is beyond your capacity
- Modelling and embedding GDPR compliance into processes covering areas such as data collection, storage and access rules, data access and deletion requests, and data breach incident responses and escalations
- Creating GDPR-compliant requirements or user stories ready for application developers to build or update automated processes
- Producing work instructions (see below) and setting-up role-based training for staff incl. automated reminders and tracking of completion
Image E: example GDPR compliant work instruction
- Producing operating procedures for teams to follow and use as evidence of compliant procedures
- Setting flags against processes that need to be periodically reviewed
- Generating data gathering (see below) and activity reports to help monitor and track progress during the initiatives implementation
- Using the above reports to track and audit performance and compliance at organisation and individual employee (see below) levels once the initiative has been delivered
Image G: example user activity evidencing report
To ensure an always on approach to compliance support your people with GDPR impact assessment questionnaires and guidance notes, and as they make changes to processes, data and or systems use automated notifications and alerts to highlight where they need to follow GDPR requirements.
From GDPR to ‘total compliance’
Swapping GDPR for MFID II or AML4 or SOX and other regulations, the same approach can be used to ensure that your business operations meet regulatory requirements. In this mode, not only will you be creating a consistent approach to regulations, you will also gain value from the time and cost saving of reusing a tried and tested approach.
For more about how you can deliver this approach read about the BusinessOptix solution here.
Notice: organisations are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Organisations are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect their business and any actions the organisation may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all organisation. BusinessOptix does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Image source: http://www.osd.ie/blog/gdpr-is-coming/