In less than a year, on 25 May 2018, the GDPR is officially introduced in Belgium. A lot has been said about the legal framework already, and the rules and regulations you should take into account. But how should your organization deal with this pragmatically? During Sentia’s well-attended GDPR event, iGuards’ Co-Founder Jan De Bondt provided us with some valuable insights. The highlights of his presentation can be found below.
Let’s start with some good news: you don’t have to start from scratch. The current Belgian legislation around privacy is pretty strict already. If you are already compliant with these laws, you work is 80% done. But the devil is often in the details. Didn’t we hear a Belgian football coach proclaim, when he left the national team, that he had finalized 90% of his work? We all know what next... Bottomline: the remaining 20% is a very important part. GDPR pertains to all data and to everyone within your organization: your employees, you customers, but also your suppliers and other stakeholders.
HOW TO START? AND WHERE?
As it is a long journey, you should start with a roadmap. Raise sufficient awareness within your organization, by composing a team consisting of people from various divisions: legal, IT, business developers, why even HR. As mentioned above, GDPR concerns everyone, so it is advised to reach all employees and departments about how and why GDPR matters. You should win the hearts & minds, as it were.
When the team is put together, you should take one step back, to initially assess what data you have within the organization, and where you can find them. This is called the data inventory phase. You should take your time to draw up this inventory, because this will serve as the basis for the next stage: a thorough gap analysis. This can also serve as an ideal opportunity to cleanse your data server. And you should also ask yourself: who has access to which data? Can they export these data? And is that really necessary? Additionally: do you have a procedure to fully deny access to data to employees who are about to quit the organization?
This entire inventory with all relevant details will serve as a starting point for a list of actions to be taken in order to become GDPR-compliant. A list which can only be agreed upon after some serious discussions, because you will need to agree on many priorities. Prioritizing will be inevitable, as no one can afford to tag everything and to log all data traffic.
Only after all the above, you can start with the next phase: the implementation, in which you need to select the proper solution, execute the listed actions, adjust if required, provide feedback towards your stakeholders. An important, often underestimated, item on your action list is: communication and training. You don’t get to be GDPR-compliant just by introducing technology (though this can obviously help a lot), in the end, it’s your people who need to be aware of the consequences of how they deal with data.
AM I NOT TOO LATE YET?
Not necessarily, but you will have to hurry: every step takes a serious amount of time. there is no ideal planning which fits every organization. The first phase - roadmap and inventory - takes most time, often more than half a year. The next steps (assessment, prioritization, implementation and communication) may easily last up to three months.
If you need some extra guidelines, you may be interested in this insightful brochure drawn up by the ‘Commission for the protection of the private life’ (aka the Privacy Commission). This document provides you with an easy, non-technical overview of what to take into account.
One final consideration: no one can be 100% GDPR-compliant (yet). There is no official certificate and, no matter what vendors say, there is no tool available yet that ensures 100% compliance. This requires more than just one tool.
So take your time to analyze all of your data before you embark on the rest of your GDPR journey.