You need to approach this in a logical, rational way from the start so you don’t go insane later.
In a previous article, I discussed the factors you should consider when deciding whether you want to work on your GDPR compliance in-house or outsource it, as well as the advantages of doing this yourself.
How to do it in-house
To become compliant, you need to know the ‘what’ of compliance and the ‘how’ of compliance.
1. The ‘What’ of compliance
You can’t be compliant if you don’t know what compliance actually means. You need to get a firm grasp of the core requirements of GDPR.
2. The ‘How’ of compliance
When you know what compliance means, you need to figure out how you can get there.
Learning the ‘What’ of compliance
You need to be knowledgeable about the requirements of GDPR.
There are many ways to learn the specifics of GDPR, including:
1. In-person training
The fastest way to get clarity about GDPR is to attend in-person training.
Yes, you can learn about GDPR online but it’s a slower process. It’s more difficult to get answers to your specific questions. It can also be difficult to know whether what you are reading is black-and-white fact or just the opinion of someone who is not fully informed.
There are many training options out there, depending on whether you to get formally certified as a data protection professional or if you just want to just learn the key elements of GDPR.
For formal certification in Ireland:
Your options include:
- Certified Information Privacy Professional (Europe) through the International Association of Privacy Professionals
CIPP/E training is performed over 2 consecutive days. You take an online exam at a time that suits you, usually within 6 months of the training course. I am somewhat biased about this as I am a trainer for IAPP in Dublin. But even before I became a trainer, I found that CIPP/E was the most recognised global certification available. For more information on CIPP/E, go to https://iapp.org/certify/cippe/. If you are interested in attending the next course in Dublin, contact IAPP’s Irish training partner, Colleary & Co – info@collearyandco.com - PDP Training
Training is performed over 5 days, followed by an exam. I have paid to attend a few of these modules that covered specific topics such as subject access requests. Personally, I’d recommend any modules run by Paul Lavery of McCann Fitzgerald. More information is available at https://www.pdp.ie/training/list-of-courses - Certified Data Protection Officer through UCD and the Association of Compliance Officers
Training is performed on UCD’s campus on a number of Saturdays over a period of a few months. This is followed by a closed-book exam. This was the first certification route that I took and I found it to be an excellent way to learn about data protection. The certification is accredited through UCD which helps to prove this is an in-depth course. More information is available at https://www.acoi.ie - The Law Society of Ireland
I don’t have personal experience of the data protection course delivered by the Law Society but I believe it is held in-person and online in the evenings. Many of the trainers are very well-respected in the industry so I don’t doubt the quality of this certification route. More information is available at https://www.lawsociety.ie
If you just want to get trained in GDPR without formal certification:
There are many training options out there. For example, you can attend some of the modules of the PDP course.
2. Online training
If in-person training is not an option, you may find online training courses available on sites such as Udemy.com or Teachable.com.
At the moment, I can’t vouch for the quality of these courses. If the tutor is qualified and experienced, they are probably worth a look.
3. Trustworthy online sources
After you have been trained, you will still need access to guidance on an ongoing basis.
Do not rely on Google to figure out the answers for your GDPR questions.
Seek authoritative sources.
The text of GDPR and local laws
If you have a question about GDPR, you should look at the text of GDPR to see if it can give you a clear answer. The best online source is at https://gdpr-info.eu/.
If you are an organisation established in Ireland, the Irish legislation to enact GDPR is the Data Protection Bill 2018. It’s heavy reading but it’s still useful to access it when you want to understand how the law looks in Ireland: https://data.oireachtas.ie/ie/oireachtas/act/2018/7/eng/enacted/a0718.pdf
The data protection regulators
The Irish regulator’s site is a good source: www.dataprotection.ie
For some juicy insights, the site also includes case studies of how organisations got things wrong. The site categories the cases by topic – e.g. direct marketing, CCTV. They also publish examples in their annual report.
The ICO (the UK data protection regulator) is also pretty good at publishing guidance on their www.ico.org.uk site. (Just be mindful that if they talk about ‘local’ or ‘national’ law, they are talking about UK law. Irish law may differ.)
Data protection consultancy & legal firms
Look for articles written by people who work in the area of data protection.
For example, I’d like to think my articles can help you.
In my experience, Twitter and LinkedIn can sometimes be better sources than blogs for this type of material. (Given I write articles on this blog and seldom use social media, is this ironic?)
Data protection industry bodies
I also have to mention the International Association of Privacy Professionals (IAPP) as a great source of material. And not just because I am one of their CIPP/E trainers in Ireland!
Personally, I have gained huge value from IAPP’s articles, white papers, webinars and other material. You don’t need to become a paid member to access a lot of the material.
Take a look at www.iapp.org.
Deciding the ‘How’ of compliance
When you have a firm understanding of what compliance means, you need to figure out how to get there.
To get anywhere, you need to work out:
- Where are you now
- Where do you want to go
Where are you now?
You need to assess how compliant you currently are.
If you are in good shape, then there will be less work involved in completing this. Alternatively, if you’re not in great shape, you need to be ready for this significant chunk of work.
The best way to assess your current situation is to do some sort of gap analysis.
This will help you see where you are in comparison to where a ‘compliant’ organisation is likely to be.
There are numerous gap analysis templates available online. The assessment tools on the regulators’ sites are a useful place to start. For example:
- The Irish DPC’s guidance for organisations
- The UK ICO’s assessment questionnaire for small businesses and sole traders.
Where do you want to go?
In theory, knowing what GDPR compliance means and knowing where you stand right now should be enough to know what it will take for you to be compliant.
However, it is not always that simple.
You need to decide how compliant you want to be:
- Do you just want to do the minimum necessary to reduce the risk of getting caught?
- Do you want to do everything necessary to comply with both the letter and the spirit of the law?
This may be influenced by the culture of your organisation.
- Does it strive to do what is right for its customers and employees, or does it try to scrape through with the minimum effort necessary?
It may also be driven by the expectations of your customers and the quality of your competitors.
- Do your client pay for, and expect, the best?
- Could clients easily move to a competitor if you’re not getting this right? And are competitors out there talking about how good they are at this?
And needless to say, it will be influenced by how much time and money you want to put in to this compliance work, as well as the complexity of your technology and business processes.
As a business, you need to decide what compliance will look like for you.
This decision will drive the amount of work you will need to do creating or updating staff policies & business procedures, improving technical security measures, etc.
Now that you know it, it’s time to do it.
When you have a clear sense of what compliance requires and how you are going to comply, you need to get on with it.
This is where the theory meets reality, and insanity kicks in.
The causes of insanity when you do it yourself
There are many reasons why you may feel like you are going insane while you try to do this yourself:
1. GDPR is seldom black-and-white
GDPR is principle-based. It lacks the specifics of how you should apply these principles to your real-world scenarios.
If you don’t have trustworthy sources for guidance, you may find contradictory answers online.
You’ll start to wonder if you are doing this right.
You will start to doubt every decision you make.
2. It seems like an ever-growing mountain of work
As you deal with one compliance gap, you may identify many more gaps that you hadn’t previously considered.
The list of things on your to-do may just seem to get longer.
Your motivation will drop when the list just keeps growing.
This will feel like a never-ending story.
3. Your ‘real’ job takes over
If you are trying to do this alongside your other responsibilities, your ‘real job’ will take over.
It is inevitable: There is always a more immediate deadline to meet, a bigger fire to fight.
GDPR will keep getting parked until ‘tomorrow’.
But tomorrow will be just like today.
How to avoid the insanity
I mentioned earlier that I think you will need in order to get this done:
- Data protection knowledge
- Implementation experience
If you find yourself struggling, it may mean you need help with one or both of these.
This is nothing to be stressed about. You can’t have all the answers when you give this a go for the first time.
Remember what it was like when you first tried to drive a car?
The insanity of steering while trying to operate a clutch and find a gear (any gear), all the while looking out for lunatics in bikes?
But, with the right support, it became second nature to you.
If you’re struggling because you lack data protection knowledge
If you are struggling to translate principles into real world application, you may need further training and education.
You may also benefit from spending time with people in similar roles and similar organisations to yours – For example, networking sessions for your industry or data protection seminars.
If you can’t learn it yourself, you need to find someone who knows this
They will be able to answer your questions quickly so you don’t lose your mind wondering how to figure this out yourself or reading contradictory opinions online.
If you’re struggling because it seems like a bottomless pit or your ‘real’ job keeps taking priority
The problem is not a lack of knowledge. It’s a problem of getting things done.
It’s important to accept that there will always be something more urgent. But is everything more important than GDPR?
If GDPR is important to you, you need to dedicate time to this.
- You may need to block-book time in your calendar to work on this.
- You may need to work on this from home with your email and phone turned off.
- You may need to seek better buy-in from your colleagues so they understand why other things on your list need to take a back seat for a while.
If you can’t find the time or you can’t prioritise this, you need to find someone who can.
If none of these are realistic options for you, it may be worthwhile getting help from someone who has implemented similar projects elsewhere. They may be able to help put a realistic plan around your activities, help you focus on one thing at a time, and monitor your progress.