First Steps Towards GDPR Compliance
Our Head of Legal, Leon Daniel, has written some useful information on GDPR and what it might mean for your organisation. This is the second of a series of articles on the steps we are taking at SD Worx to ensure GDPR compliance.
First Steps Towards GDPR Compliance
In the first blog in this series What is GDPR, I wrote:
As you start looking into GDPR, you will find that it will impact more of your organisation than you originally thought.
I am confident in making this statement as this is what happened here at SD Worx as we got deeper into our GDPR Readiness programme.
After notifying the Board, our first step was to assemble a readiness team that covered all relevant areas of the business. Each business area became a work stream, with a senior work stream lead, and each work stream developed its own action plan with milestones.
You will see below a link to a genericised version of our work stream pack which may assist you in establishing your own work streams and action plans. This is a description of the business areas within SD Worx UK that we consider need to be engaged in GDPR readiness and why.
IT
The systems and technical processes that we use to process personal data will be key to our compliance with GDPR. We have secured a considerable budget to enhance our IT security, and we have obtained ISO 27001 certification for the whole of our business which is a significant measure in ensuring GDPR compliance.
Data flow, Privacy by design and Privacy Impact Assessments are all covered by the IT work stream.
Product
Whether we are providing a managed service or SAAS, we need to ensure that our products enable GDPR compliance. Product enhancement will cover not only our own products, but also 3rd party products that we supply.
Operations
Where our product systems cannot provide automatic GDPR compliance, we will need to wrap around operational delivery processes that do. New or enhanced operational processes will require colleague training.
Supplier management
Privacy impact assessments will need to be carried out for relevant suppliers who process personal data on our behalf. Appropriate policies and controls will need to be put in place and supplier compliance with such policies monitored.
Sales
Whilst sales don’t have a long list of actions, numerous questions from existing customers and prospects has served as an early warning system to the need for education and training of our sales teams.
Legal
Legal have been instrumental in creating awareness, and in education and training. More tangible actions will include incorporating a new Data Privacy Agreement into all customer contracts to ensure compliance with GDPR and to give assurances to customers.
Commercial
GDPR has necessitated a high degree in investment in our systems and processes. Commercial are considering to what extent these costs have created value for our customers and therefore could be passed on in pricing.
Marketing and Communications
We have developed “Think, Check, Act” as an internal awareness programme and have focused equally on internal and external awareness and knowledge building. Privacy notices will need to be GDPR compliant.
Learning and Development
Training at some level will need to be delivered to all colleagues. In addition, we will be developing a certification scheme for operational delivery colleagues.
You may have more or fewer parts of the business for whom you consider GDPR is relevant. You are welcome to use our base material in the creation of your own work stream pack.