Mark Thompson, global privacy lead at KPMG, comments on the implementation of General Data Protection Regulation (GDPR) and what businesses need to do to get ready.
He said: “With implementation day upon us, many organisations are still scratching their heads as to what they need to do. The reality is that early on we can expect a few high profile examples will be made of non-compliant businesses, but perhaps not the tsunami some foresee.
“Though, all is not lost; businesses need to realise that even if they miss the 25th May deadline, they still have a chance to get their house in order for the long term.”
Mark raises the following practical tips to help businesses with their privacy needs and GDPR compliance:
1. Raise awareness at the board level – the board needs to understand the implications of the GDPR and need to be bought in to make enhancements. This should result in the funding being made available to undertake a privacy improvement programme.
2. Understand current state and set desired outcome – conduct a gap analysis against the GDPR to understand where your organisation is exposed to risk and determine what the risk appetite is.
3. Plan and implement – create a detailed plan to enable the desired risk appetite to be reached and undertake a privacy improvement programme to deliver against this plan.
4. Don’t rush into major technology investments – it’s tempting to believe that GDPR software solutions can ensure full compliance but the reality though, without a clear privacy strategy and a documented roadmap, it may simply add more
5. complexity — at a considerable cost. Before considering which solutions to invest in, you must first get the basics right, starting at strong governance. Once a simpler, streamlined set of processes and roles are in place, then seek appropriate applications that meet the needs to help automate repeatable processes.
5. Be prepared for questions – privacy is a hot topic and only likely to get hotter. Reputational damage — as a result of breaches or unethical activity — can be immense, and there is a small but growing community of journalists and other stakeholders that are eager to ask difficult questions. The answer is to be media ready at all times, with a well-briefed communications team and a senior, credible, privacy-aware spokesperson/people. When dealing with customers, it’s vital that all staff are fully trained and able to anticipate questions. It only takes one poor or uninformed response — especially where a customer has a good understanding of her/his rights — to create a negative experience, as well as an investigation.