With a couple of months to go until GDPR becomes law, how far up (or down) the Information Commissioners 12 steps are you from compliance?
We would like to give some practical guidance and advice, as well as share our experience to date. Projecting aren’t compliance experts (and don’t pretend to be) but our experience recently has demonstrated that, as with most other compliance projects, the practical application of the regulations requires an operational brain with a compliance awareness and that’s where our clients have been utilising Projecting.
So, here are our top tips:
- Having a clear Data Policy that covers clients, employees, and vendors
- Communicate clearly with all of these groups on their rights and data retention procedures
- Take the opportunity to assess and clean up personal data repositories and anywhere else you keep personal data internally
- Use this as a marketing opportunity to affirm data security with your clients
- Document your impact assessment fully, i.e. in and out of scope regulations
- Be clear about being a data controller, data processor or both
- You may never get an exhaustive list of the business areas that are impacted, and which functions, but keep communicating and importantly, training, and you will reduce the risk of gaps · Utilise the Information Commissioners website (ICO)
- Don’t be distracted by some of the esoteric impacts suggested, e.g. business cards – stay principle focused
So, we haven’t provided all the answers, and would never hope to, but rather than be as prescriptive as a management consultant, we want to share the pragmatic and not the enigmatic. As with all regulatory projects, we hope that this will assist in putting context and focus on the GDPR project you are undertaking.
And it won’t surprise you to know that we are covering all of the above in our own, internal, Projecting GDPR project!