Before the GDPR came into force we saw a flurry of activity from organisations wanting to kick off privacy compliance projects to ensure that they achieved that compliance by 25 May 2018. However, many organisations were unprepared or unwilling to do what was required to achieve compliance, and a great deal of projects continued well beyond 25 May 2018. We all learned a lot during that time and can now apply that knowledge to any privacy compliance project, independently of legislation or how compliant the organisation is at the outset.

  1. Talk to experts before deciding on your approach
    By experts we mean privacy, IT, Information Security, Legal and change management experts, who can provide well-informed estimates of time and effort. Often, we see organisations silo these consultations, by only covering IT or Legal aspects. This can lead to mismanaged expectations.
  2. Understand who your key stakeholders are
    Even before you set up a formal change management structure, understand who the best advocates for your project will be. Chances are that you will need their support to convince senior stakeholders to fund and prioritise the required change.
  3. Get senior buy-in
    Bring your senior management groups with you to ensure that you will have coverage to kick off the formal change management programme. This will mean Board and/or Executive teams, relevant audit teams, and their senior leadership.
  4. Manage expectations
    Do not oversell how simple the project might be, and how many benefits it could bring the company. Compliance changes are notoriously hard truths to accept, and it is better to paint a truthful picture than to ask for additional time or money down the line.
  5. Make it simple
    When explaining to your senior stakeholders what is needed, ensure (i) that they understand what data protection compliance is, and are not confusing it with IT or pure cyber security and (ii) that you bring the concept to life with examples that everyone understands.
  6. Do the maths first
    It is understandably difficult to put a price tag on changes that can only be assessed when the clear picture of the compliance estate is defined. Doing the maths of the several phases as they come is likely to get you a bit further along the way. Also, don’t forget to do the “negative” math –not just ‘how much this will cost us’, but also ‘what will we not be able to do because of this’. This is the real cost of compliance.
  7. Think about your starting point, priorities, and quick wins
    It is important to prioritise efforts and find quick wins that will move the dial forward in terms of compliance with the least amount of effort. For example, reviewing an incident response plan and delivering some face-to-face training about it will go a long way in finding and handling incidents before they get too big.
  8. Start with data mapping
    When starting any puzzle, you need to understand what the image is that you are putting together. The same goes for a privacy compliance exercise–understanding what data you have and what happens to it is the critical starting point.
  9. Engage experts to support outside of everyday tasks
    Do not rely only on your usual teams to deliver this programme of change, as it can be very intense, and you risk creating problems in your everyday compliance. Think about privacy, IT, InfoSec and Legal experts that you may be able to rely on to deliver this programme.
  10. Remember—this is about individuals and their privacy
    Along the way in any project, it is easy to get lost in technical details and terminology. Ultimately, what is asked of organisations is to do the right thing with regards to information related to individuals, and to respect their choices. This should be clear throughout the project.

Please contact us at HewardMills if you want to discuss any of the points in this article, or find out more about our services.