GDPR Three months on: Waves & Ripples
After the dust settled on 26th May 2018, many businesses may have felt that GDPR came in with a whimper rather than a bang, and having dealt with their marketing databases and their privacy notices, many went back to the day job of running their company.
For Sympatico GDPR and compliance are the day job so of course we're always working on it, and the client work certainly hasn't abated. We've been dealing with the ripple effect of compliance...that is the true work which GDPR compliance requires: such as helping our clients get the relevant assurance from their suppliers and vendors, or assuring their own clients and making sure Data Processing Agreements (DPAs) are in place where relevant. In short, we're busy making sure our own clients can continue with their day job of running a successful business.
We've been helping our clients make sense of their information maze, supporting them so they know where all their data is with our data flow mapping and inventory creation processes. Our work includes uncovering clients' privacy risks and helping close out those liabilities so they can become stronger businesses with a more robust approach to data management with better digital technology choices. It's not just about the peace of mind which this brings, it's about optimising and systemising a business when it comes to their data and digital approach.
From our perspective, GDPR is coming in waves: April 2018 felt like a tsunami of panic as many organisations scrambled to comply, often taking a tick box or rushed approach. Perhaps making mistakes along the way or missing the bigger picture that GDPR implies and can unlock in terms of good data governance, secure digital technology and agile processes, trusted vendors and trained employees.
The past few months have felt like a current pulling us in the right direction of compliance with better data protections and respect; however, there's still lots of work to do over the next 18 months and beyond. At Sympatico, we saw 25th May as the starting not the finishing line.
So three months in, we're now expecting and predicting the next wave, that's when the post GDPR infringements and data breaches, and Information Commissioner's Office (ICO) enforcements and brand impacts and costs kick in. We think that wave is on it's way for late Autumn and beyond. We're not hoping for that wave, simply expecting it - the risks of data breaches and fines for non-compliance look inevitable.
At Sympatico, we want to make sure our clients keep a cool head with the right preparations, intent and planning in place. But if you haven't tackled compliance beyond the tick box, what should you do now?
Here's our GDPR compliance health-check of some key steps you should be tackling when it comes to compliance as an organisation about. How do you fare?
- You know where your (personal) data is (electronic & physical files), you have mapped information flows at your practice and analysed your personal data
- Your policies & procedures have been updated in line with Data Protection and Information Security (GDPR)
- Suppliers and vendors: you have checked and assured your 3rd party liability when it comes to personal data processing. DPAs are in place
- Technology: you have assured the Confidentiality, Integrity & Availability of your data processing systems. You have relevant technical and organisational protections in place (e.g. encryption) when it comes to personal data
- Your external privacy policies, communications and marketing are compliant; you have validated consent mechanisms
- Your people: are aware and trained
- You understand and can uphold GDPR principles and data rights; you have tested your ability to uphold a Subject Access Request
- Data breaches: you are recording these and have an incident response plan ready (which has been updated post GDPR), and you have tested it
- Your organisational culture supports privacy (including using DPIAs where high risk processing etc.)
If you need help with any aspect of GDPR: from training, brand resilience and data breach workshops, to compliance documentation creation and diagnostics, just get in touch at firstname.lastname@example.org