GDPR tips from a true practitioner
GDPR continues to be a hot topic of conversation across all sectors and with organisations at wildly varying stages of readiness for the May 2018 deadline. The following few months are set to be very interesting.
Interim Partners, speaks with Julian Parkin.
With so much hype surrounding GDPR it is refreshing to speak to a true practitioner. Julian Parkin has been there and done it with data privacy: having delivered an award winning group wide programme for a major UK bank Julian is now a leading interim consultant working across the financial and professional services sector to implement GDPR. His distinct methodology and approach bring tangible results to his clients, whether they are beginning their implementation programme or are seeing their on-going attempts fail.
So this is not your first time when it comes to data privacy programmes. What are the key differences between delivering Data Protection Act (DPA) and General Data Protection Regulation (GDPR)?
The principles are the same and are underpinned by the EU philosophy that the individual retains rights over the data. Under GDPR the regulators recognise the power that organisations have as a result of their ability to integrate multiple sources of data to build a picture of the individual. As an individual's profile is so rich, the legislation seeks to ensure companies understand, communicate and handle data in a way that re-balances the relationship. These obligations are now backed by the significant fining regime that can drive better behaviours and practices within companies.
Is GDPR difficult for organisations to implement? What are the typical mistakes an organisation will make when implementing a data privacy programme?
GDPR can be a challenge for organisations because of the number of legacy systems and the complexity within their existing processes and applications. These programmes are very broad and require cross-functional participation from the staff; more often than not they will include overhauling the risk and control framework of an organisation.
Organisations now need to be able to proactively define their data journey and provide evidence and management reporting to support the effective operation of their practices. This is a significant shift in the obligations; we are not too far from implementing a Sarbanes-Oxley Act (SoX) standard of controls across their data lifecycle. The one piece of advice I would give is focus on the 90% you know and do not get distracted by the 10% that experts like to debate… endlessly. Many examples exist but I would recommend that you don’t spend too long on what requires consent, what constitutes evidence; data portability is black hole that can absorb any time you put to it. Once you build pace into a programme it generates its own momentum and you can finesse the 10% of “unknowns” later.
Some organisations seem to already be well advanced in implementing their plans around GDPR, others not so much. With the May 2018 deadline fast approaching, what advice would you give organisations that are yet to look at GDPR implementation?
The requirements are the same for everyone and if companies are starting their journey now then there is likely to be a lot of work to do. My advice would be to ensure they can modulate their activity to make significant progress across the key areas of concern in their organisation. A well-structured programme that is driven by an experienced leader will be able to bring significant results in a six-month timeframe. I have recently restructured a GDPR programme in a challenger bank, which moved to Green in two months and will be predominantly complete within six months of starting.
What is your view of the data privacy talent landscape? Are the requisite skills available in the interim marketplace or should organisations be engaging Big Four or niche data privacy consultancies to do this work for them?
In the last six months there has been a sudden spike in the number of CVs that are calling out GDPR skills. The good people are very busy but there are a number of people who have the specialist skills to run the modulated work streams under an experienced leader. Resources are very constrained across the Big Four, as well as the interim market and therefore rates are rising. Companies looking for partners should review the on-site team’s experience and ensure that they can explain the programme in simple terms to build confidence in their credentials. If your partners are not definitive, they will be learning on your assignment.
What will happen on 25th May 2018? Do you believe the regulator will be quick to enforce sanctions?
Previous experience indicates that the 25th May will be quiet and there will be a gradual pick up in activity from the regulators. Companies should take stock of their position on the 25th May 2018 and define an ongoing plan to ensure that they continue to invest in their privacy capabilities. Historically, regulators have used their increased fining powers to punish egregious breaches. If companies can demonstrate that they are taking this seriously and continuing to improve, their efforts will be taken into account. They need to understand - it is about when something goes wrong, not if. Their systems and processes should be constantly evaluated for potential failures and business should have a plan of action ready. Ultimately, the regulators are sensible and will engage in reasonable discussion if you can demonstrate your commitment.
What lasting impact will GDPR have? Will all organisations need to hire Data Privacy Officers? How will the general public react once they are aware of GDPR?
This is a sea change moment for the treatment of data across the EU. The UK has also confirmed that it will adopt GDPR into UK law after Brexit, as it is be critical to ensure access to European markets. Organisations will need to appoint Data Privacy Officers, and for smaller companies the outsourcing of this role will be common due to the complexity in the regulations and the cost of the resources.