Big school of GDPR - Lesson 2: Establishment of an effective project team

Starting a GDPR project - Establishment of an effective project team

The consequences of breaching GDPR provisions have a major catastrophic impact on the company's business, which makes GDPR a problem for administration. Keep this in mind when creating your GDPR team.

In the previous lesson, we described the impact of GDPR on society, companies, individuals ... Now, when everyone is perfectly clear that serious changes are taking place in handling personal data, we will consider which major changes can companies expect (this includes the state administration, which we will no longer specifically mention because all this applies equally to it), who and how will implement them.

GDPR is a business risk - manage risk

Business models based on personal data processing will undergo a very serious transition. Everyone whose models are based on violation of privacy rights (and each day there are more and more of them) will have to devise completely new ways of selling and realizing their services/products.

The company's management must be aware of GDPR requirements. They must be able to apply them to existing business models and find critical points - to understand where and to what extent the company does not meet these requirements and make sure that it meets them by May 2018 at the latest. For many it will be difficult or even impossible. That is why focus should be on activities that would provide the greatest impact with the least amount of time. The GDPR project must not be delayed, and should not be neglected.

For many companies, GDPR will be a business and even existential risk, and management of such risks is primarily the task of the management board. How much will each management board member personally devote to their resolution depends on many factors, but one thing is certain: The management must be aware of the consequences that it will cause to their company and must undertake the appropriate measures. The company's impact assessment will be best conducted by an internal team that understands well the GDPR requirements and internal processes, but it certainly will not do it in the fastest way. Engaging an experienced consultancy team that has already gone through this process with other companies brings significant savings in time and cost, but also brings something much more important.
It brings experience from other GDPR projects, so you will not learn from your own mistakes. Many GDPR decisions have far-reaching consequences for business. Education is in each case the first step, but who needs to be educated?

Create and educate the GDPR team today!

What business are you in? Do you collect personal information in your business or perhaps process them for others? A personal data is any information or combination of information on which one can easily identify a person. Consider whether there is any business process within your company that involves collecting or processing personal information. The person responsible for this process must be devoted without delay to the understanding of GDPR. Reading these lessons is a good start, but specialist education would help.

We distinguish three main types of education:

• Education on the Regulation itself - it is occasionally conducted by AZOP with the aim of providing objective information on the content of the Regulation itself and it does not address the challenges that companies face during harmonization.
• The harmonization workshops with GDPR requirements - are conducted by specialized educational institutions and consulting companies. Such educations can be very specific and are the best start. In one to two days you will gain insight into what you need to do and how it is done. You will understand the concrete impact of GDPR on your organization.
• CIPP/E certification - Certified Information Privacy Professional - expert certification of the largest global privacy protection organization IAPP. There are excellent preparatory courses, on-site and on-line. Very detailed, with many different professional orientations.

In larger organizations, GDPR education should be mandatory for managers responsible for business processes that collect and process personal information, while in smaller companies it should be mandatory for directors. Special attention should be paid to sales and marketing. Today's sales and marketing strategies in most end-user-oriented companies are grossly violating GDPR requirements. They do it intensively and publicly, which significantly increases exposure to sanctions.

Do you operate with highly confidential categories of personal data? Do you have information on health, political affiliation, financial condition, sexual orientation, or perhaps even personal information of the minors?

Are you a big retail chain? Do you have information about the spending habits of people identified with payment cards? Do you provide brokerage services in financial or any other business? Are you an attorney-at-law office that sues your clients' debtors? Or maybe you're a court, city administration, hospital ... These are just some of the examples of particularly risky organizations from the GDPR standpoint.

Educate yourself to be able to assess the size of the problem your business faces. The consequences of breaching GDPR provisions have a major to catastrophic impact on the company's business, which makes GDPR a problem for the management. Keep this in mind when you establish your GDPR team. It will primarily comprise of people responsible for business results, i.e. sales, marketing, and business process managers who handle personal information. There will also be representatives of the legal and human resources department, and certainly the IT and information security (CISO) and compliance, but none of them will redesign business processes. This can only be done by those who have designed them.

Assess the state and report to the management

Many management board members are not yet aware of the size of the business risk they are exposed due to GDPR. Many will deem that the company has more important work, other money-making projects, etc. See a short video shot by Elizabeth Denham, U.K. Information Commissioner, to warn management board members about the expiration of the GDPR harmonization deadline.

Let your small team meet internally immediately after education, identify where each personal information is used, how well the processes are aligned with the GDPR requirements from the legal side, and to what extent the organization is ready to meet requirements such as:

• Are you even able to determine exactly what personal information is, because the definition is much wider than the one you used before. If not, how will you delete, protect or export them? Who will determine it and does IT have enough detailed instructions as to what needs to be done to bring the information systems in line with GDPR requirements?
• Can you prove that you know exactly where personal information is located, that you are aware of the risk of any such data and that you protect it against this risk?
• Right to Forget - Can you really just wipe out all the information about a particular person from all information systems, including backups and archives of the past ten or more years? Can you delete them from paper documents and do you know where all the personal information is located? In mail, business application databases, IT test environments, personal computers, employee phones, binders ... Can you delete information from databases without compromising the integrity of other information?
• The right to own personal information - can you simply export the physical person information from your systems to the CSV file and hand it over to the owner? Are you even aware of which personal information you have or do not have? Are you allowed to provide the information you use for, or are the result of your internal processing? For example, a list of financial transactions and a risk profile of a bank's client, or a list of calls and locations from which telecoms' clients call, or medical patients' results ...

Consider the issue of processing privileges. Are consents collected together with the data in the way the GDPR asks? They are not. You could not have known that the consents will be needed at the time you collected them. How will you solve this problem? Where will you keep the evidence that you have the consents and how will you ensure that data processing cannot be carried out without them?

Identify the greatest risks. What are you doing wrong, and what would be the effect of abolishing these activities? Can you afford to stop selling and marketing or sharing of personal information with the companies you work with? Do you have an alternative solution?

Identify the greatest business risks and estimate the time it takes for harmonization. One year will hardly be enough. Put it on paper - A4, one page. Send it to the management board and request a meeting. Actually, you do not have to request it. A responsible management will convene a meeting itself and appoint a team for harmonization with GDPR, and at this stage you will know very well who should be in this team.

The lesson is part of the Big School of GDPR by ICT Business Portal and Ostendo Consulting