GDPR is a pain in the ass.
As an individual, I believe GDPR is a good thing. But I won’t talk about that here.
As a business owner, I know GDPR is a pain in the ass.
So how do I suggest you start to deal with ‘this pain in the ass’?
What not to do?
1. Do not wait until you are clear about everything
When it comes to GDPR compliance, you are building a house.
It’s your choice whether that house of made of straw, sticks or bricks.
Whatever you decide, you can’t wait until you have all of the drawings and plans signed-off before you start building a few walls.
Fair enough, at a later point, you may need to redo some of your work as you learn more.
But you need to get on with building some sort of defence just in case a big bad wolf calls around before your house is ready.
2. Do not get distracted by technology solutions and GDPR experts
There are a lot of people out there selling GDPR advice and technology solutions. (And yes, I know I’m one of them).
Many will focus on the fines and sanctions to scare you into paying for their service.
Others will focus your attention on one small part of GDPR because the technology they sell might be one way to solve that aspect of GDPR.
My advice? Don’t listen to us too much.
If someone tells you they are a GDPR expert, walk away.
There is no such thing. GDPR does not take affect until May 2018 so you’d need to know the future to be an expert.
If someone tells you they have a technology that will make you GDPR compliant, walk away.
GDPR compliance is not just about technology. It is not just about IT security.
And at the start, the only ‘tech’ you need is a pen and paper, a whiteboard, post-it notes or Excel.
What to do?
1. Get a basic understanding of what GDPR actually is
Right now, you just need to get a sense for what GDPR is all about.
Don’t get bogged down in the detail.
Get to know what the high level principles of data protection are, and the rights that individuals will have under GDPR.
Given the number of ‘experts’ and ‘solutions’ out there, choose your source of information carefully.
You can’t go too far wrong by looking at what the data protection authorities advise.
- Ireland’s ODPC’s website (www.dataprotection.ie) and the UK’s ICO’s website (www.ico.org.uk) are good places to start.
- The ODPC has created a dedicated site to help businesses work out what GDPR means: www.gdprandyou.ie/organisations/
- The ICO’s website has a dedicated GDPR section. There’s a lot of very useful information on the site. If I had to pick just one thing, this 12-step guide (PDF format) is worth a read.
2. Write down what your organisation does with personal data
I don’t mean a comprehensive and complete data inventory, or a document worthy of ISO accreditation.
I mean open an Excel spreadsheet (or find a blank whiteboard) and start writing down the types of things your organisation does with the personal data of customers, employees and any other groups of individuals (e.g. suppliers, prospects).
Even just for 30 minutes, think about:
- How you get the data [Gather]
- Where you store it [Store]
- What you use it for [Process]
- Who else you give it to [Disclose]
- How long you keep it and/or when you delete it [Retention]
Perhaps you don’t think you do anything with personal data. If you employ one person or have one customer, you are wrong.
- Employees:
- You pay them
- You recruit them
- You review their performance
- You maintain a HR file about them.
- Customers:
- You sell to them and they pay you
- You call or email them
- You make notes about them
- You do marketing to target them.
It’s tough to do any of these things without some element of personal data.
3. [step 1] + [step 2] = [step 3]
Think about what you do with personal data (step 2) and consider the principles and rights of data protection (step 1).
Are you confident that everything you do (step 2) is aligned to data protection regulations (step 1)?
What are the obvious gaps?
Now, start doing something to close these gaps. Get on with it.
The end of the beginning
These are the initial steps in what could be a long journey.
But focusing your efforts on these three steps will move you in the right direction.
What are the alternatives?
1. Think about this some more
That doesn’t get you closer. It won’t save you time.
2. Go all in: Develop a detailed scope, budget, and project plan
You could run this as a formal project: Do a full data inventory, a detailed gap analysis, and then establish a formal project with appropriate resources, budgets and plans to address the gaps
I like the way you are thinking. This is an effective way to get this nailed.
But it takes time to get this done.
You need to start changing things before the project is ready.
The worst thing to do right now is nothing.
Do something. Do anything.
Start building some walls while you’re still working out the plans.