Becoming compliant with GDPR: Outsource or in-house?

By |2018-12-10T11:04:17+00:00October 25th, 2018|Categories: B2B, GDPR|Tags: , , |

Your attitude, your time and your budget will determine the best way for you to become compliant

Two key things you need to become compliant

To become GDPR compliant, you need two things:

  1. Knowledge – The ‘What’
  2. Implementation – The ‘How’

1. Knowledge (‘What’)

Before you can become compliant, you need to know what compliance means: The principles, the legal bases, the data subject rights, the breach notification requirements..

The list goes on.

But the list does end.

And it’s not rocket science.

2. Implementation (‘How’)

Assuming you have sufficient knowledge, becoming compliant is just like any other project.

You need to know how to get from ‘Point A’ (where you are right now) to ‘Point B’ (where you need to be) as seamlessly as possible, while continuing to run your business.


You have two options

When faced with these two key issues of knowledge and implementation, I think you have two options:

  1. Outsource: Get someone else to do it
  2. In-house: Do it yourself, with or without support

Whatever option you choose, you will need to be involved. However, the nature of the involvement will differ.

I have helped businesses with their compliance efforts using each one of these approaches – Some have asked me to lead them through it while others wanted to lead but have my support along the way.

In my experience, I think the best option for you depends on a few things:

  1. Your money
    How much of your money do you want to spend on this?
  2. Your time
    How much of your time do you want to spend on this?
  3. Your attitude
    Is privacy and data protection a concern of yours personally?
    Do you want to do the minimum so your business can claim to be compliant, or do you really want to nail this so you are doing what is right for your customers and employees?
  4. Your interest
    Do you think you could find the area of data protection interest?
    Is it something you would like to know more about?

 


Time and money: Which do you have more of?

Let’s start with the basics: Time and money.

gdpr compliance inhouse outsourced time money graph

My over-simplified graph shows the two main options plotted in terms of how much of your money and how much of your time you want to invest in this.

More money than time

If you have money but not a lot of time, you should look at approaches that allow someone else to do most of the work.

  • You will become compliant faster.
  • You won’t have to grapple with the greyness of GDPR. You’ll be paying someone else with the knowledge to do this for you.

But..

  • You may need to sign a big cheque, or a series of cheques.
  • When the project ends and the experts leave, a lot of the knowledge will also walk out the door. You may be compliant on the day they leave but you may struggle to remain compliant as time goes on.

More time than money

Alternatively, if you don’t have much money, you should look at approaches that allow you to do more of the work.

  • It’s achievable. GDPR is not rocket science.
  • You will be confident about your compliance because you will have done the work. You will know why decisions were made because you were the one who made them.
  • You will be very knowledgeable about how data protection strengthens your own rights.

But, it’s not all sunshine and lollipops:

  • It will take you longer.
  • The greyness of GDPR may make you feel like you are going insane if you don’t know where to get support & guidance.

Attitude and interest: Do you want to really nail it?

I’ve talked about the obvious factors of time and money.

But I think there are other factors you need to consider: Specifically, your own attitude towards, and interest in, data protection.

Attitude

  1. Do you think data protection provide long-term benefits for your business?
  2. Is privacy important to you or your loved ones? Are you annoyed or concerned about the amount of data gathering and surveillance going on all around you?

Interest

  1. Would you like to understand how data protection could strengthen the trust between you and your clients? How it could be a competitive advantage?
  2. Would you like to know how data protection rights can help you and your loved ones understand and control the amount of data being gathered and processed about you?

Why would your attitude or interest matter?

If data protection does not matter to you, you don’t see any long-term benefit to it, and you just want to ‘get it done’, outsourcing may be the better option for you. Why work on something that is of no interest to you and that you don’t think provides any long-term value?

However, if it’s an area that seems interesting to you (for business and/or personal reasons), doing this in-house may be the better option.

  • You will know far more about data protection.
  • You will be confident about your own compliance.
  • You will be able to remain compliant into the future.
  • You will be able to describe your compliance with your clients, improving their trust and respect for you.
  • If you are a B2B, you could help your clients with their compliance efforts, becoming a valued business partner of theirs.
  • You will know far more about your own data protection rights (and the rights of your loved ones).

My star ratings

I’ve summarised my own thoughts about the two options in the following table:GDPR compliance project - inhouse outsourced time money assessment table

[The more stars, the better!]

Outsource is the better approach if you want to spend money and save time, especially if you have little interest in learning about data protection.

In-house is the better approach, especially if you have an interest in the area. It will involve far more of your time but there are ways to reduce this (hence the 2 optional stars), which I will discuss in another article.

 


So, what now?

As I mentioned already, I have helped businesses with their compliance efforts using each of these approaches – Some have asked me to lead them through it while others wanted to lead but have my support along the way.

So, I think I have an objective view on the relative strengths of each approach and hopefully this article has helped you identify the approach that suits you best.

If you have decided the outsource approach is the one for you

I have a few suggestions on how to select the right outsource provider for you and how to avoid the common pitfalls of the outsourced approach.

Click here for my article on how to outsource this work

If you have decided you want to do this in-house

That’s great – I think I have a lot of good pointers for you.

Click here for my article on how to do this in-house without losing your sanity.

 

 

About the Author:

Hi, I am Sam Glynn of Code in Motion. I hold various data protection certifications (CIPP/E, CIPM, CDPO) and regularly train future DPO's on behalf of the IAPP. I help businesses that are struggling to comply with data protection rules. I provide pragmatic guidance using plain English.