Big school of GDPR Lesson 3: Assessment of current state - Determining project priorities
Several people from the company have gone through basic education so far or at least have read carefully the previous lessons of the Big School of GDPR by ICT Business Portal and Ostendo Consulting. You have realized that coping with GDPR can represent a serious business risk. You presented it to the management, were on the receiving end of raised eyebrows, got half an hour of attention, and with little luck and time, resources and initial budgets to harmonize with the requirements of this extremely socially useful but inconvenient regulation for companies. If your management has concluded that the GDPR project may be postponed because you are a public institution, state administration body or some other form of organization to which the fine is not applicable, you should just mention the position of AZOP recently published on the ICT business portal, according to which the penalty for the criminal offense of unauthorized use of personal data if committed by an official or person performing public authority is up to five years of imprisonment. With the GDPR regulation entering into force, regulatory bodies will gain much greater powers to carry out EU citizens' privacy protection activities.
How to go or 137 times where are we?
You have created the core of the harmonization team. This core understands GDPR requirements from a legal point of view, understands business and business processes that use personal information in their work but also understands the information technology the organization uses to perform the business. The first step is to find a gap between the ways of personal data management as set out in the Regulation and what the organization is currently using.
Precondition is, of course, an understanding of the Regulation and of all the requirements and recommendations that it cites. If you think that at this stage you will have to study in detail the Regulation and the large amounts of specific explanations and opinions generated by the EU administration, you are wrong.
A large poster with a list of 137 GDPR requests and recommendations can be downloaded here. The experience of downloading the poster may be your first chance to think about the GDPR's consistent request for personal information disclosure consent.
Workshop on Breakdown Analysis
Ideally, print the poster on A2 or larger paper and tape it to the wall. Read all of the requirements and prepare a table in which you will include a name for each person that you believe can competently describe the way it is currently done (or not done) in your organization. The example you received when you downloaded the poster will help you. Group the questions to these people, and arrange thematic interviews. In smaller organizations, only a few people will be enough to cover all the topics. In large and complex organizations, this procedure could take more than a month.
Add to the description of the way each request is fulfilled at least a rating of the fulfilment level, and other ratings that will help you harmonize the process later.
The gap analysis must be done quickly. Because of this, you cannot spend too much time developing a very detailed methodology of conformity assessment based on complex quantitative methods. The reliability of the assessment methodology will be built primarily on the knowledge and experience of the appraiser.
You MUST have someone familiar with business processes, who understands GDPR regulation, IT systems, and information security. You will rarely find this in just one person, but be careful not to spread the team too much. You will make communication difficult. Ideally, 3-5 highly experienced experts in the mentioned domains. Those who know business processes you will find only internally, while other functions can be external if needed. Experienced experts for GDPR are difficult to find because no one in this specific area can have more than one year experience, but they may have it in similar areas. You will be looking for professionals for GDPR regulation among those with great experience in IT compliance. Those who know the Regulation well, all the documents that it refers to and numerous cases described on the official pages of the European Commission, or are considered in the practical work on GDPR projects are rare. With several courses, intense reading of expert literature and with a lot of effort you can become one of them yourself. The prerequisite is that you have very solid knowledge of IT and regulation. CIPP/E certificate combined with a lot of IT experience or CISM, CISSP certificate with a lot of experience in compliance are excellent indicators of competence in this area. The last two can also be covered by information security and technology domains. Large, technologically advanced companies will find all these people within their own organizations, while others will have to deal with what they have with the possible engagement of consultants (which need to meet these requirements).
The breakdown analysis report must contain a very simple overview of the state, ideally in graphical form, and a description of the state across all domains. You decide for yourself what reporting detail is appropriate for your organization. Explain each level of compliance. This information will later serve to make recommendations, prioritize and design the project plan to align with the GDPR requirements we will discuss in the next section. The link for a sample report is here.