Through experience of designing and delivering data privacy as well as data governance and security programs over recent years, INTRAWAY has defined a methodology to not only focus on the required immediate GDPR remediation, but also to drive to a sustainable steady state for personal data management within an organization for the long term. This cost effective phased approach is as follows:
PHASE 1 : Project Design
Engaging the right people at top management level is necessary to ensure that the organisation commits the necessary time and resources and develops a culture that respects privacy. Hold a kick off meeting (or several), agree a governance structure, allocate resources and set a budget. In these early stages, you may not know exactly how much work will be required, though you will have an idea of what teams are likely to need to be involved (Legal, IT, Compliance, HR, Marketing & Sales and so on), how much internal resource you have available and in what areas you are likely to need external support.
PHASE 2 : GDPR Assessment
This phase is to undertake a GDPR assessment study that will: (i) Establish the landscape of personal information captured, stored and processed, (ii) Evaluate the current maturity of information governance, security controls and associated privacy processes (e.g. Privacy Impact Assessment, Subject Access Request) across the organization; and, (iii) Evaluate the technical and operational maturity of the organization to meet the longer term requirements of GDPR and ensure a sustainable future state. The starting point will vary according to the current level of compliance with existing regulation and the level of data privacy awareness for the organization. Using a proven impact assessment methodology an initial baseline of data privacy maturity will be determined. Further detailed Privacy Impact Assessments will be undertaken driven by the gap assessment and associated risk.
PHASE 3 : Compliance Roadmap
As a high-level view of the personal data landscape is established and the current level of compliance maturity determined, further detailed assessment and planning work is undertaken to create an overall compliance roadmap that: (i) Considers current controls and risk landscape (from a personal data perspective), (ii) Identifies a set of sub projects to executed in order to meet the required compliance, (iii) Provides a view of the transition states for organization’s data landscape, (iv) Evaluates the current level of data governance implementation, (v) Evaluates the technical framework supporting GPDR requirements.
PHASE 4 : Remediation Solutions
Driven from the findings of the assessment and the compliance roadmap, implementation and enterprise rollout of the required remediation solutions typically cover the following domains: (i) Updates to organizational policies and governance– e.g. data privacy policies, data protection officer role, accountabilities, (ii) Definition/updates to key processes to support requests under individual rights embedding of privacy by design into existing processes as well as data protection impact assessments into system/process development methodologies. It is crucial that organisations design an Incident Report Plan to include detailed actions that will need to take place so that, if required, notifications can be made timely to the Supervisory Authority (within 72 hours from detection of the data breach) and to the data subject. The Plan should include a clear pre-determined set of consecutive actions and a clear allocation of responsibility for those actions as well as notification templates, investigation requirements, reporting, media and communications management etc.. A well thought-through privacy impact assessment can also expose a potentially high risk business partner.
PHASE 5 : Ongoing Operational Capability
Critical to the long term success of any remediation implementation is to ensure that the changes are sustainable and maintainable for the future. Experience has demonstrated that the operational effectiveness can only be sustained with: (i) Training to all staff, highlighting any changes that were implemented because of GDPR and the reasons thereto, (ii) Monitoring their compliance on a continuous basis, by updating their policies and procedures when needed and (iii) Establishing and maintaining a governance-driven culture that will empower people to actively protect their organization much more effective shield against privacy threats, compared to a compliance-driven approach that can prove bureaucratic.