Extract from article by Mark Webber and Hannah Blake
With the implementation of the EU General Data Protection Regulation (GDPR) less than a year away being ‘GDPR ready’ is a key focus for many organizations. But this task is one which extends beyond the privacy or compliance team, it requires the involvement and cooperation of the organization to take compliance with the GDPR from theory to practice.
Even those who’ve pushed through data mapping are starting to realize: it’s one thing to have a core privacy team on top of GDPR, but a mammoth task operationalizing the GDPR throughout an entire organization.
To help, here we provide the top 10 steps to operationalise the GDPR in your organization.
- Understand your organization’s governance – rally support!
- Key stakeholders
If the highest level of management within an organization sets privacy as a key priority it will help to set the tone of privacy in your organization. They could even go as far as to implement a privacy strategy or make a privacy mission statement. Involvement and support at this level will promote and push forward the compliance process, encouraging involvement and education of employees and assignment of tasks. Maintaining such a policy will dictate privacy’s involvement in day to day operations.
In other businesses, we see other compliance champions. Sales guys love to sell and if they feel deal friction from privacy and Q2’s figures are suffering because of Article 28 you can bet they want to smooth that process and perhaps even lead and sell with compliance. Seek out those impacted and build a coalition.
- Key individuals
In addition one of the first key questions your organization should ask when looking at their governance structure is ‘Does this organization need a Data Protection Officer (DPO)?‘. This is a key role under the GDPR and unless it is obvious that your organization does not need to appoint one an organization should document the reason for its decision.
Everyone within an organization has various specialisms related to privacy and responsibility should be assigned accordingly to create a network of people who manage the day to day impact of privacy within your organization. A clear and coherent governance structure will ensure a smoother transition to GDPR compliance.