Achieving GDPR Compliance: Episode VII - Business As Usual

Mike Thompson -

So, we made it. May 25th arrived and we're all exhausted. But, we're all still here!

If you've been following my posts on the subject, you'll know that it's been just over a year since we began what feels like the odyssey that is our journey towards GDPR compliance.

A lot of water has passed under the bridge in that time and a lot of things have been achieved.

Let's take a look.

It was probably around this time last year that my (then) manager asked me to get involved in the project, which at the time had effectively one other colleague actively engaged in it. Even then, my remit was pretty specific; identify and document all of our business systems that process or store personal data. This was a fairly huge undertaking in itself, but to be fair, just another huge task in and amongst a variety of other huge tasks.

Nevertheless, I had a job to do and needed to get on with it. At roughly the same time, the aforementioned colleague (Paula) was about to start a data processing review across our entire enterprise; what data we process, how we process it, where is it held, what systems are used and so on. This was perfect - an opportunity to jump aboard that train and that's precisely what happened.

In doing this though, it brought me deeper into the project; as I already had a lot of previous experience in data protection and privacy law, I was able to contribute more than just 'system stuff' to these sessions and I think it helped make them more fruitful, not just from a technology point of view, but also from a process, people and legal point of view also. In any event, it was clear that Paula and I were forming a decent double act and so it continued for the vast majority of the project.

With the review complete, we had teased out a number of interesting things:

  • We store data in some weird and wonderful places
  • We don't overly process data types (i.e. we generally practise data minimisation)
  • We keep data for far longer than we really need to
  • We have processes, policies and procedures we need to update
  • We have an awareness gap, which needs filling

Stuff like that really, which should resonate with most of you reading this post.

So, we formed a bunch of work streams to address the above points. Some looking at marketing, others at staff awareness, while others focussed on our relationships with third parties, or our systems and processes.

One thing we did identify though (around October 2017), was that a lot of the 'buzz' and motivation was coming from the project team itself (two of us, remember?), rather than it being underpinned by a mandate from the leadership team of our organisation. This is something we addressed in a presentation to our board, where we secured buy in and critically material support from our directors.

This was a watershed moment. We had people from the most senior positions in the company taking day to day interest in the project, directing work, listening to concerns, making decisions and so on. This allowed Paula to focus on her role as principle coordinator of our overall compliance project and me to focus on providing consultancy services around the legislative and technical aspects of it all.

And so that's how it continued, through an external audit by the NCC Group at the back end of the year, through to another audit by the UK Information Commissioner's Office earlier this year. Both audits were rigorous, yet both corroborated our own views on the state of our compliance; we're doing lots of great things, but we've got lots more things to do.

So, we ploughed on.

Technology work kicked in; changes to our consent processes, nailing opt-in properly on our websites or telephone order journeys, dealing with legacy data in a responsible way etc.

Awareness campaigns began to happen; GDPR eLearning, quizzes, booklets and even cup mats appeared on everyone's desk! The main aim being to bring data protection to front and centre of everyone's thinking, across the entire organisation. We had 100% completion and 100% success in our eLearning programme, such was A. the quality of it and B. the impetus throughout the business to get these messages driven home.

Our Marketing team, who in fairness have been properly engaged from pretty much day one, simply upped their game further, running myriad data cleansing campaigns and also truly grasped the issues around consent and reengineering how we do that. Phenomenal work.

It felt strange in some ways, because we went from what felt like a lot of meetings where words were spoken, but that was it, to what seemed like a tonne of work happening in unison, fully energised and focussed. It was head spinning to be honest.

But, it confirmed that the GDPR had everyone's attention, commitment and focus. And that's all we could ask for. That's all anyone (even the ICO!) could ask for.

May 25th began to loom. So, where are we?

In a good place actually, because...

  • Technology is on the ball
  • Sales & Marketing are on the ball
  • Learning & Development are on the ball
  • Policy folks are on the ball
  • Legal & Regulatory are on the ball
  • Supplier Management is on the ball

You get the idea. All the talking that had happened previously suddenly transformed into work and the outcomes we were so eager to see were starting to manifest themselves.

Today, I arrived in work to see this:

At first, I thought it a little bit showbiz, but then I realised that three things were true; our company has properly engaged in a righteous journey to deliver on our requirements, that a significant number of colleagues had joined that mission, doing their bit to get us to where we are, but then that also it is something worth celebrating, if for no other reason than to A. recognise the effort and also B. to make it clear, on the day of May 25th 2018, that the GDPR is here, it’s here to stay and it's everyone's responsibility.

So, after lunch today, we had a little party. Some Prosecco was drunk, some cake was eaten and a few gifts were handed out.

I and a few others got a rather nice bottle of gin for our contributions. Paula also got a bottle of gin, but then she also got some flowers and other bits, because she earned them. I may have provided useful guidance to this project and of course I've even written about it extensively on here, but Paula was the glue that held it all together and for that, she deserves the Best Actor award in this particular film.

So, May 25th has come and as I pointed out in an earlier post, we're just getting on with it. Data privacy is business as usual for us, as it was before. Were we doing it as well as we could have been? No. Are we now doing it better? Yes. Can we do it even better? Absolutely.

Making the deadline isn't the end of our journey towards GDPR compliance and doing the right things with people's personal data. No, it's a milestone in our transformation and the start of a fresh commitment to respecting the rights of individuals.

Thanks for reading and if you've followed our journey, I hope it's been helpful, or at the very least, interesting.

Over and out. :)