First Steps Towards GDPR Compliance

6 September 2017

The Chief Legal Officer of SD Worx, Jacqueline Raison, has written some useful information on GDPR and what it might mean for your organisation. This is the second of a series of articles on the steps we are taking at SD Worx to ensure GDPR compliance.

In my first blog in this series What is GDPR, I said: "As you start looking into GDPR you will find that it will impact more of your organisation than you originally thought."

I am confident in making this statement as this is what happened here at SD Worx as we got deeper into our GDPR Readiness programme.

After notifying the Board, my first step was to assemble a readiness team that covered all relevant areas of the business. Each business area became a work stream, with a senior work stream lead, and each work stream developed its own action plan with milestones.

You will see below a link to a genericized version of our work stream pack in case this helps you in establishing your own work streams and action plans. This is a description of the business areas within SD Worx that we consider need to be engaged in GDPR readiness and why.

IT

The systems and technical processes that we use to process personal data will be key to our compliance with GDPR. We have secured a considerable budget to enhance our IT security, and we are committing to the ISO 27001 standard at the same time as GDPR compliance. Data flow, Privacy by design and Privacy Impact Assessments are all covered by the IT work stream.

Product

Whether we are providing a managed service or SAAS we need to ensure that our products enable GDPR compliance. Product enhancement will cover not only our own products, but also 3rd party products that we supply.

Operations

Where our product systems cannot provide automatic GDPR compliance we will need to wrap around operational delivery processes that do. New or enhanced operational processes will require colleague training.

Supplier management

Privacy impact assessments will need to be carried out for relevant suppliers who process personal data on our behalf. Appropriate policies and controls will need to be put in place and supplier compliance with such policies monitored.

Sales

Whilst sales don’t have a long list of actions, numerous questions from existing customers and prospects has served as an early warning system to the need for education and training of our sales teams.

Legal

Legal have been instrumental in creating awareness, and in education and training. More tangible actions will include incorporating a new Data Privacy Agreement into all customer contracts to ensure compliance with GDPR and to give assurances to customers.

Commercial

GDPR has necessitated a high degree in investment in our systems and processes. Commercial are considering to what extent these costs have created value for our customers and therefore could be passed on in pricing.

Marketing and Communications

We have developed “Think, Check, Act” as an internal awareness programme and have focused equally on internal and external awareness and knowledge building. Privacy notices will need to be GDPR compliant.

Learning and Development

 Training at some level will need to be delivered to all colleagues. In addition, we will be developing a certification scheme for operational delivery colleagues.

You may have more or fewer parts of the business for whom you consider GDPR is relevant. You are welcome to use our base material in the creation of your own work stream pack.