Survive being tasked with GDPR

8 minute read, or just take in the article’s mind map.

Businesses need to cater for GDPR. You need to understand what PII data you have, how you got it and why, what you do with it, and how you satisfy the requirements of GDPR. Someone in the business needs to know about it. Someone needs to make sure it’s sorted. I did it in 2018 alongside my normal job. This article is aimed at anyone in this same position.

After two definitions, the structure of this article is:

GDPR stands for General Data Protection Regulation. It is European Union law with global reach. If you handle European citizen PII data in any way, you need to be aware of it, and, if necessary, take steps to comply. The potential fines are huge.

PII data is Personally Identifiable Information. It is data that could be used to identify individuals, not just on its own, but also in conjunction with other information. This sets a low bar for the classification of PII data. For example, even my ‘rab’ cloudmansys email address counts. Together with this site, it can identify me – not difficult given the LinkedIn and Twitter links.

Mining the consultancy seam?

In the run up to GDPR’s legal application in May 2018, I suspect some thought it was just another bandwagon for the consultancy brigade. Especially those businesses that don’t make extensive use of marketing lists, or perhaps thought that regaining or reaffirming consent was it. PII has never really been an issue, so why now? However, GDPR goes beyond this, and it’s all about preventing PII becoming an issue.

For European businesses, even if your business does not use mailing lists, you undoubtedly process PII for your employees. Therefore, the fullness of GDPR needs to be understood and catered for. It’s not just consent for marketing lists.

If you are not based in Europe, maybe you operate in a global market? If you ship product to Europe, you’ll probably be using names and addresses. Or do you have mailing list with EU citizens on it? This is all PII data, and you are subject to GDPR.

Allow sufficient time

When I was asked to sort out GDPR for my employer, I had no idea just how much it would involve. Superficially, it seemed simple. Then, the lack of case law, and the proliferation of advice and consultancy it spawned, made it look a bit more daunting.

Using the philosophy of keeping it simple, I got it done. But it was definitely more work than we initially thought.

Five steps for simple GDPR

What’s here is for non ISO 27001 businesses. If you have ISO 27001, you are (or should be) well beyond all of this.

Work out what it means for you

Step 1 of 5

Do some basic reading about GDPR. There is no need to be a pioneer. Look at some of your competitors, or who you aspire to compete with. Have they done anything about it? Look for Privacy Policy at the bottom of their website. It should be visible. Otherwise, how would I, as an EU citizen, know whether my PII data is protected? What’s important is to get some idea of how GDPR impacts you.

If you have ISO 9001:2015, use this research to demonstrate that you keep abreast of external issues affecting the organisation (requirement 4.1).

Separate admin from protection

Step 2 of 5

Learn to separate the administration from the protection. This is more mindset than step. As a business, you should already be taking data security extremely seriously. If you do see data security issues, get them sorted, immediately. The administration aspects of GDPR can come later.

Hopefully, you’ll find that data security is solid, and you can relax a little and let the administration follow. Protection is bigger than GDPR. GDPR is just some admin surrounding something that should be sorted within your business. Getting this mindset helps keep it simple. If there are issues with data security, put them firmly back in the court of IT and your leadership.

Conduct a PII data audit

Step 3 of 5

Do an internal audit of what PII data you have. You need to know this. It can be difficult to get people to fully engage. You can prepare for this by having ready answers to questions like:

  • What is PII data?
  • Do my email contacts in Outlook or Gmail count as PII data?
  • This is not my responsibility?
  • Even us in the US?
  • What’s the difference between Data Controller and Data Processor?

I think a two phase approach to initial PII data audit works best.

  • Phase 1. Basic capture. Get a simple list together of PII assets across the business.
  • Phase 2. Get the detail. Now you’ve hooked them, start reeling in the control detail. If you reveal the extent of Phase 2, people might not be so open at Phase 1.

Going forward, once you get a decent PII Asset Register in place, maintaining it will be simpler. Also, hopefully, everyone will better appreciate the need to do it.

Get the admin in place

Step 4 of 5

Next, get the admin in place. Just tick off the few things you need:

  • GDPR policy
  • DPIA procedure
  • SAR and IRR procedure
  • PII Data Breach procedure
  • Updated Privacy Policy
  • Updated website

When developing your resources, don’t overcomplicate things. Keep it simple. One tip is to refer out to the Information Commissioner’s Office (ICO) advice. For example, for the various Individual Rights Requests (IRR), have a basic procedure that checks the identity of the requestor, establishes if data is held, and then deal with the request using the latest guidance in the ICO page for that request.

Rely on your provider for your website requirements. For example, I do this site in WordPress. WordPress and the plugins take care of most of it for me. I just had to understand what to look for in terms of settings, and what my responsibilities are. If you are doing this for a business rather than yourself, it should be even easier. Just ask your website people to do it, and if they don’t understand, ask yourself whether they are a good supplier. GDPR should not be a surprise to anyone in this field.

Don’t write more procedure than you have to. Especially as it may never be used. Also, if you follow ICO guidance, you can’t go far wrong, and referring out to ICO shifts the risk of keeping it up to date. Just remember to look at the latest ICO advice when you review your GDPR policies.

Establish awareness and responsibility

Step 5 of 5

Now you are almost there and know more about GDPR, think about general awareness. Consider some training about the importance of data security in general, PII in particular, and the requirements of GDPR. Even if it’s just a FAQ on your intranet, it helps, and it will deflect questions away from you.

Tailor your awareness programs to roles and responsibilities. Breaking it down into who does what keeps it simple, and it shows that you understand the requirements.

Funnel GDPR through key individuals. Make them take responsibility. Identify who owns the PII assets you find, and make their responsibilities very clear to them. Don’t overburden yourself.

Beyond five

That’s it really. Once everyone is aware of what’s been done and what’s required of them, you are pretty much up and running. You are ready for the silence. In all likelihood, nothing much will happen. Nobody really uses the apparatus of GDPR day to day.

Keep an eye on GDPR and the data security landscape, react to events, and refer to the ICO website for guidance. Do a PII audit once a year, reinforce awareness occasionally, and include GDPR/Data Security in your new hire induction.

If you have ISO 9001:2015, include GDPR review in your Management Review.

Enjoy the silence but be prepared

So you’ve completed this task. It can seem a thankless one. Policy for policy sake. However, the reward in this unrewarding remit, is not running the risk of being crucified by a customer, agency, or the leadership, should someone take a closer look at how you meet GDPR. And, if a PII data incident or SAR request ever happens, knowing you have processes in place.

GDPR work is likely to be sporadic. So it’s easy to forget. Develop some resources accordingly. One thing I did post implementation was prepare some mind maps. These quickly get me back up to speed, and for DPIAs, expanding out the mind map is my process. Here’s the example.

How I remember what to do at DPIA

Can you trust this advice?

I now have the satisfaction of knowing I did a decent job. Not because we have incidents, but due to a change in business ownership. All our GDPR policies and procedures have been vetted by some Information Security lawyers (not consultants). I thought I’d done a good job, but it’s nice to have a report saying so.

If you keep it simple and cover the basics, you too will get GDPR sorted, return to the day job, and update your CV with this sideline. Let’s face it, if GDPR is your main job, you won’t be reading this article.

Develop a management system?

All the advice above is system agnostic. But, of course, I like developing management systems that support challenges like GDPR. So I’ve done one as a Confluence space. Here’s an image of cloudmansys GDPR.

cloudmansys GDPR

Regardless of what tooling you use to manage GDPR, it’s good to have a single starting point, and some organisation. As you do this for yourself, consider something similar. It’ll make it more fun, and, if you choose Confluence, it’s a nice self contained project to learn with. I hope it goes well for you.

Leave a comment

Your email address will not be published.