In-house GDPR compliance: How to do it without losing your sanity

By |2018-12-10T11:09:57+00:00November 7th, 2018|Categories: B2B, GDPR|Tags: , , , |

You need to approach this in a logical, rational way from the start so you don’t go insane later.

In a previous article, I discussed the factors you should consider when deciding whether you want to work on your GDPR compliance in-house or outsource it, as well as the advantages of doing this yourself.


How to do it in-house

To become compliant, you need to know the ‘what’ of compliance and the ‘how’ of compliance.

1. The ‘What’ of compliance

You can’t be compliant if you don’t know what compliance actually means. You need to get a firm grasp of the core requirements of GDPR.

2. The ‘How’ of compliance

When you know what compliance means, you need to figure out how you can get there.


Learning the ‘What’ of compliance

You need to be knowledgeable about the requirements of GDPR.

There are many ways to learn the specifics of GDPR, including:

1. In-person training

The fastest way to get clarity about GDPR is to attend in-person training.

Yes, you can learn about GDPR online but it’s a slower process. It’s more difficult to get answers to your specific questions. It can also be difficult to know whether what you are reading is black-and-white fact or just the opinion of someone who is not fully informed.

There are many training options out there, depending on whether you to get formally certified as a data protection professional or if you just want to just learn the key elements of GDPR.

For formal certification in Ireland:

Your options include:

  • Certified Information Privacy Professional (Europe) through the International Association of Privacy Professionals
    CIPP/E training is performed over 2 consecutive days. You take an online exam at a time that suits you, usually within 6 months of the training course. I am somewhat biased about this as I am a trainer for IAPP in Dublin. But even before I became a trainer, I found that CIPP/E was the most recognised global certification available. For more information on CIPP/E, go to https://iapp.org/certify/cippe/. If you are interested in attending the next course in Dublin, contact IAPP’s Irish training partner, Colleary & Co – info@collearyandco.com
  • PDP Training
    Training is performed over 5 days, followed by an exam. I have paid to attend a few of these modules that covered specific topics such as subject access requests. Personally, I’d recommend any modules run by Paul Lavery of McCann Fitzgerald. More information is available at https://www.pdp.ie/training/list-of-courses
  • Certified Data Protection Officer through UCD and the Association of Compliance Officers
    Training is performed on UCD’s campus on a number of Saturdays over a period of a few months. This is followed by a closed-book exam. This was the first certification route that I took and I found it to be an excellent way to learn about data protection. The certification is accredited through UCD which helps to prove this is an in-depth course. More information is available at https://www.acoi.ie/education/qualifications/professional-certificate-in-data-protection/
  • The Law Society of Ireland
    I don’t have personal experience of this course but I believe it is held in-person and online in the evenings. Many of the trainers are very well-respected in the industry so I don’t doubt the quality of this certification route. More information is available at https://www.lawsociety.ie/productdetails?pid=1331
If you just want to get trained in GDPR without formal certification:

There are many training options out there. For example, you can attend some of the modules of the PDP course.

I may also be able to help you.

  • If it’s just one or two of you:
    I run training sessions in the M50 / West Dublin / North Kildare area on a bi-monthly basis. The session enables you to get trained alongside other businesses. The cost for the half-day session is €295 per attendee.
  • If there’s more than a couple of you and you are in the M50 / Dublin / Kildare area:
    I can run a half-day training session in your offices – Read more about this option.

2. Online training

If in-person training is not an option, you may find online training courses available on sites such as Udemy.com or Teachable.com.

At the moment, I can’t vouch for the quality of these courses. If the tutor is qualified and experienced, they are probably worth a look.

I am currently developing an online course to cover the essentials of GDPR. If you are interested in hearing more and want to get an early bird discount when it launches, just let me know.

3. Trustworthy online sources

After you have been trained, you will still need access to guidance on an ongoing basis.

Do not rely on Google to figure out the answers for your GDPR questions.

Seek authoritative sources.

The text of GDPR and local laws

If you have a question about GDPR, you should look at the text of GDPR to see if it can give you a clear answer. The best online source is at https://gdpr-info.eu/.

If you are an organisation established in Ireland, the Irish legislation to enact GDPR is the Data Protection Bill 2018. It’s heavy reading but it’s still useful to access it when you want to understand how the law looks in Ireland: https://data.oireachtas.ie/ie/oireachtas/act/2018/7/eng/enacted/a0718.pdf

The data protection regulators

The Irish regulator’s site is a good source, even if the site design seems dated these days – www.dataprotection.ie

They also have a site dedicated to GDPR that is worth a look – www.gdprandyou.ie.

For some juicy insights, the site also includes case studies of how organisations got things wrong. The site categories the cases by topic – e.g. direct marketing, CCTV – https://www.dataprotection.ie/docs/Case-Studies/945.htm

The ICO (the UK data protection regulator) is also pretty good at publishing guidance on their www.ico.org.uk site. (Just be mindful that if they talk about ‘local’ or ‘national’ law, they are talking about UK law. Irish law may differ.)

Data protection consultancy & legal firms

Look for articles written by people who work in the area of data protection.

For example, I’d like to think my articles can help you.

In my experience, Twitter and LinkedIn can sometimes be better sources than blogs for this type of material. (Given I write articles on this blog and seldom use social media, is this ironic?)

Data protection industry bodies

I also have to mention the International Association of Privacy Professionals (IAPP) as a great source of material. And not just because I am one of their CIPP/E trainers in Ireland!

Personally, I have gained huge value from IAPP’s articles, white papers, webinars and other material. You don’t need to become a paid member to access a lot of the material.

Take a look at www.iapp.org.


Deciding the ‘How’ of compliance

When you have a firm understanding of what compliance means, you need to figure out how to get there.

To get anywhere, you need to work out:

  1. Where are you now
  2. Where do you want to go

Where are you now?

You need to assess how compliant you currently are.

If you are in good shape, then there will be less work involved in completing this. Alternatively, if you’re not in great shape, you need to be ready for this significant chunk of work.

The best way to assess your current situation is to do some sort of gap analysis.

This will help you see where you are in comparison to where a ‘compliant’ organisation is likely to be.

There are numerous gap analysis templates available online. The assessment tools on the regulators’ sites are a useful place to start. For example:

Where do you want to go?

In theory, knowing what GDPR compliance means and knowing where you stand right now should be enough to know what it will take for you to be compliant.

However, it is not always that simple.

You need to decide how compliant you want to be:

  • Do you just want to do the minimum necessary to reduce the risk of getting caught?
  • Do you want to do everything necessary to comply with both the letter and the spirit of the law?

This may be influenced by the culture of your organisation.

  • Does it strive to do what is right for its customers and employees, or does it try to scrape through with the minimum effort necessary?

It may also be driven by the expectations of your customers and the quality of your competitors.

  • Do your client pay for, and expect, the best?
  • Could clients easily move to a competitor if you’re not getting this right? And are competitors out there talking about how good they are at this?

And needless to say, it will be influenced by how much time and money you want to put in to this compliance work, as well as the complexity of your technology and business processes.

As a business, you need to decide what compliance will look like for you.

This decision will drive the amount of work you will need to do creating or updating staff policies & business procedures, improving technical security measures, etc.


Now that you know it, it’s time to do it.

When you have a clear sense of what compliance requires and how you are going to comply, you need to get on with it.

This is where the theory meets reality, and insanity kicks in.

The causes of insanity when you do it yourself

There are many reasons why you may feel like you are going insane while you try to do this yourself:

1. GDPR is seldom black-and-white

GDPR is principle-based. It lacks the specifics of how you should apply these principles to your real-world scenarios.

If you don’t have trustworthy sources for guidance, you may find contradictory answers online.

You’ll start to wonder if you are doing this right.

You will start to doubt every decision you make.

2. It seems like an ever-growing mountain of work

As you deal with one compliance gap, you may identify many more gaps that you hadn’t previously considered.

The list of things on your to-do may just seem to get longer.

Your motivation will drop when the list just keeps growing.

This will feel like a never-ending story.

3. Your ‘real’ job takes over

If you are trying to do this alongside your other responsibilities, your ‘real job’ will take over.

It is inevitable: There is always a more immediate deadline to meet, a bigger fire to fight.

GDPR will keep getting parked until ‘tomorrow’.

But tomorrow will be just like today.


How to avoid the insanity

I mentioned earlier that I think you will need in order to get this done:

  1. Data protection knowledge
  2. Implementation experience

If you find yourself struggling, it may mean you need help with one or both of these.

This is nothing to be stressed about. You can’t have all the answers when you give this a go for the first time.

Remember what it was like when you first tried to drive a car?

The insanity of steering while trying to operate a clutch and find a gear (any gear), all the while looking out for lunatics in bikes?

But, with the right support, it became second nature to you.

If you’re struggling because you lack data protection knowledge

If you are struggling to translate principles into real world application, you may need further training and education.

You may also benefit from spending time with people in similar roles and similar organisations to yours – For example, networking sessions for your industry or data protection seminars.

If you can’t learn it yourself, you need to find someone who knows this

They will be able to answer your questions quickly so you don’t lose your mind wondering how to figure this out yourself or reading contradictory opinions online.

If you’re struggling because it seems like a bottomless pit or your ‘real’ job keeps taking priority

The problem is not a lack of knowledge. It’s a problem of getting things done.

It’s important to accept that there will always be something more urgent. But is everything more important than GDPR?

If GDPR is important to you, you need to dedicate time to this.

  • You may need to block-book time in your calendar to work on this.
  • You may need to work on this from home with your email and phone turned off.
  • You may need to seek better buy-in from your colleagues so they understand why other things on your list need to take a back seat for a while.

If you can’t find the time or you can’t prioritise this, you need to find someone who can.

If none of these are realistic options for you, it may be worthwhile getting help from someone who has implemented similar projects elsewhere. They may be able to help put a realistic plan around your activities, help you focus on one thing at a time, and monitor your progress.


How I can help

I hope this article has helped you understand how you can do this yourself and the struggles you may face along the way.

Doing this yourself does not mean doing it alone

I have helped many businesses with their compliance efforts.

With this experience, I have developed a reliable and realistic framework that could enable you to do this without losing your sanity. I can also provide support by email, by phone or in-person.

Further information on the services I offer is accessible from my services page.

If you don’t want, or can’t afford, my consultancy, I hope this series of articles has helped you clarify what you need to do.

I am also developing a set of online courses that could be a good option for you. The first of these courses is free.

For more information, take a look at HelpWithGDPR.com.

 

 

About the Author:

Hi, I am Sam Glynn of Code in Motion. I hold various data protection certifications (CIPP/E, CIPM, CDPO) and regularly train future DPO's on behalf of the IAPP. I help businesses that are struggling to comply with data protection rules. I provide pragmatic guidance using plain English.