Expert Tips for Practical GDPR Compliance

What are some common concerns around achieving GDPR compliance? How can organisations overcome those struggles? How can they manage their data processing activities effectively? And how can organisations assess their GDPR compliance?

We put these questions, and more, to Louise Brooks, our head of consultancy.

Louise advises organisations on data protection laws like the UK and EU GDPR (General Data Protection Regulation), helping them fulfil their privacy obligations while continuing to meet their business objectives.

In this interview

  • Misunderstandings around the GDPR and compliance
  • How the GDPR is a business enabler, not a ‘necessary evil’
  • Identifying your ‘pinch points’ to better secure personal data
  • The importance of appointing a data protection lead (or DPO)
  • Staff training programme layers and positive compliance cultures
  • The need for effective detection and response, as breaches are unavoidable

In your experience, what are the top concerns around achieving GDPR compliance?

The big one is viewing data protection – and therefore the UK GDPR – as a blocker to, rather than an enabler of, business objectives.

That’s probably because organisations tend to see the GDPR as prescriptive. This stems from misunderstandings around how the Regulation actually works:

  1. The UK GDPR is principles-based, so it doesn’t have a prescribed list of dos and don’ts.
  2. The Regulation is risk-based – you need to take proportionate action only.

Where the risks are higher, you must implement a higher level of compliance. You may also be subject to more stringent requirements – conducting a DPIA [data protection impact assessment], for example, and possibly appointing a DPO [data protection officer].

The bigger point to understand is that the GDPR provides a framework rather than a stringent set of requirements. Organisations must implement that framework in a way appropriate to the context of their business, but we’ve seen clients struggle with that concept.

How do you help clients overcome such struggles?

Explaining that complying with the GDPR is a business enabler, rather than a ‘necessary evil’, is a big one.

Various compliance activities are sensible things for organisations to be doing anyway – to simplify their processes, thereby saving time and money, for example.

But I also believe that effective GDPR compliance can enhance trust and confidence in a brand.

Organisations must remember that real, living people are behind the vast quantities of information they’re gathering and processing. Those people will be affected if anything goes wrong due to mismanagement of their data.

However, people are generally open to forgiving organisations when things go wrong if the organisation can demonstrate they treated personal data with the respect that it deserves, and they did the best they can.

How can organisations better secure personal data?

First, take the time to go over the basics:

  • What personal data are you processing?
  • How are you processing that data?
  • Why are you processing it?

If you have a good overview of this context, you can better understand exactly what risks you’re exposing personal data to. Without that knowledge, you can’t protect the data effectively while you’re processing it.

This exercise also tells you where your ‘pinch points’ are [i.e. where those risks might materialise] in your systems and processes.

In turn, that information can inform your broader risk appetite and help focus your efforts on where to deploy further security mechanisms – over and beyond the basic ones most organisations have in place.

How can you manage your data processing activities effectively?

The first step is deciding who’ll be responsible for day-to-day compliance. Typically, that’s either your DPO, if you have that legal obligation, or your ‘data protection lead’. They could be:

Appointing a single point of contact for data protection matters means that individual will ensure compliance activities – like records of processing activities and DPIAs – get completed.

They’ll also act as a conduit by gathering all necessary personnel and documentation, and keeping all the completed paperwork together, so you can demonstrate that you’re meeting the GDPR’s accountability principle.

You can do this on something like SharePoint, or specialist software like IT Governance’s CyberComply. The key is to make sure your documentation – which is evidence of your compliance – is filed appropriately, readily available, and not dependent on any one person.

What sort of training do staff with data protection responsibilities need?

Training should extend to all staff, not just those with specific data protection responsibilities. Ideally, layer your training programme as follows:

  1. General staff awareness training – how to avoid data breaches, how to react when a data subject contacts you, and so on.
  2. Nuanced training for those responsible for securing, or who regularly handle, personal data. That can range from DPOs to staff in HR, finance and sales.
  3. Specific training for senior management, so they can better understand the risks associated with processing personal data, the organisation’s compliance obligations, and how to make effective decisions with those things in mind.

But it’s not just a matter of training.

You also need a positive compliance culture. This empowers staff – and the organisation as a whole – to make the right decisions when it comes to data protection. The right culture ensures that data protection is the foundation upon which all business activities involving personal data are based.

[For ideas on engaging staff in data protection, check out this blog, highlighting 118 ways to help embed data protection in your workplace culture.]

Do you have any final words of advice?

Despite lots of effort to prevent them, personal data breaches can still happen – we’re already looking at a record number of publicly disclosed incidents for the year.

What makes the difference is how the organisation responds to a breach.

Organisations need detection procedures in place, which can highlight personal data breaches as quickly as possible. When paired with processes for managing the breach, you can quickly contain it, reducing the risk to individuals and overall impact on the organisation.

But if you fail to plan for personal data breaches, you’ll struggle to act quickly. This likely exacerbates any incident, and will certainly be viewed negatively by the regulator.

How do you assess GDPR compliance?

The most effective way to assess GDPR compliance is through a gap analysis.

DQM GRC offers an assessment that considers an organisation’s data protection and privacy arrangements against nine distinct areas:

After the assessment, we issue a report, which includes:

  • A score out of ten for each compliance area (illustrated above);
  • A summary of good areas of practice, and areas for improvement; and
  • Lots of practical guidance and recommendations on how to improve your compliance.

This report provides a ‘snapshot’ of GDPR compliance to decision-makers, informing them of the organisation’s risk exposure.

The report also offers an excellent starting point for a compliance or implementation project, looking to remedy the areas requiring improvement.

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

In the meantime, why not check out our previous interview with Louise on meeting your legal requirements around cookies?

Alternatively, explore our full index of interviews here.



Add a Comment

Your email address will not be published. Required fields are marked *