Welcome to my definitive guide to GDPR – Part 1
Who am I to write this guide? In short, I am no one!
I am not a lawyer, I am not a professional in European Law, I am simply ‘The Bad Manager’ (for more on that, see my other blog posts). Why am I writing this guide? My aim is to help other people like me, managers, who are facing the daunting topic of GDPR with the ever-looming deadline hanging over their heads.
[This is one of several posts which I wrote back in March, but due to being so immersed in GDPR, it never got to see the light of day. After completing the majority of my GDPR project, carrying out much more training on the subject, and assisting several other companies, I feel that these posts are still relevant and can still be very helpful for anyone just approaching GDPR and getting to grips with, what is for most, a very large and scary subject.]
I am hoping that by writing this guide, I may be able to help some of you understand some of the aspects of GDPR easier. I have been wading through it for months now, I’ve listened to podcasts, watched talks on YouTube and attended seminars. Maybe I can impart some of this advice to you guys to help prevent you from going through this same torturous process, to help you avoid spending hundreds of pounds unnecessarily.
You would be amazed how many emails I’ve gotten recently offering to solve all of my GDPR worries, if only I spend a whopping £600 (plus vat) going on this training course to teach me how or taking this webinar to make me GDPR ready.
Well, why pay? I can give you some of the titbits for free.
The thing is, most of this information is readily available if you know where to look. The internet is a wild and wonderful place full of all sorts of resources, both free and paid for. Two of the best resources I’ve found are:
These are the people who will actually be enforcing GDPR. The ICO is the UK’s independent body set up to uphold information rights. Their website is full of informationl; everything from definitions to clauses explained as well as simple questionnaires you can fill out to see how ready you are. Their job is not to see you fail and slap a fine on you, but to encourage you to succeed, and then slap a massive fine on you if you ignore their advice and fail.
IT Governance is a leading global provider of IT governance, risk management and compliance solutions, with a special focus on cyber resilience, data protection, PCI DSS, ISO 27001 and cybersecurity. Basically, they are a company that can do it all for you or can train you how to do it yourself. I have no personal or professional links to this company beyond the fact that they have some pretty useful free resources available on their website, and for that I Thank them.
Ways of implementing GDPR
As the Business Admin manager for my company, it is my job to take care of things like GDPR. As I have stated, I am not a lawyer or even a student of law, let alone a connoisseur of European law. So if you do not think that my advice is sound, then feel free to ignore it and go your own way. I cannot be held accountable for any ‘bad’ advice I give here, this is all my opinion and my way of doing things.
That being said, here are a few things you can do to safeguard you and your company:
Hire a company to do your GDPR for you.
Like all areas of business, there are companies out there who have sprung up overnight with the sole intention of taking away the headache of GDPR and being paid a pretty penny to do so. But if you are worried about fines, don’t have the time or expertise to devote to GDPR or have a boss/investor with deep deep pockets, then, by all means, use one of these companies. Their job is to handle all of the GDPR legalities, the paperwork, the policies, the rules and regulations. The work these companies do, can range from writing your policies and letting you get on with it all the way through to actually providing you with a remote Data Protection Office (DPO – please see section on DPO for more details) to review your data, write your policy and regularly check up on how you are conforming to the policies and procedures they have put in place.
Hire a consultant.
One step below hiring a company to do it for you. The right consultant can work wonders (see my ISO blog post) for your company. If you find a consultant who can work with you rather than for you, then you can end up with a harmonious relationship and a policy which suits you and your company needs. But please do be careful, any Tom, Dick or Harry with a few years experience in a field can call themselves a consultant and offer services without the need for relevant certification or documentation. I would, therefore, always go on a personal recommendation from someone you know and trust to find a consultant, not just pick one with the right price tag from the internet.
In fact, I have recently done some consultancy on this very subject. I have found that working with the companies and in particular the one or two people at the company who know the ‘ins and outs’ of the admin procedures, has been the best way to get a policy which suits the company, their ways of working and their staff. The ICO are not liking this ‘straight out of the box’ policies and procedures which some companies are touting. And whereas, it is fine to download some template documents and view other (reputable) companies, it is also worth remembering that these are just templates and you will need to read through and adjust the wording and actual content to match what you and your company are actually doing.
What qualifies me to be a consultant is the fact that I have had to do the work. I have completed training courses on behalf of my company and have written and implemented the policies and procedures across the board. The companies I have consulted for are small and do not have the time or money to send their staff on these courses to learn about GDPR and so they have enlisted my help as a consultant, to advise them on the best ways to go about writing and implementing these policies.
Do the work yourself but get it looked over by a lawyer who specialises in GDPR.
I have to admit, this is most likely what I am going to do. There is a fee for this type of work but it is usually an hourly fee and much more manageable than paying a company or consultant. It also means that the policy will be tailored to your needs and requirements and not contain a load of meaningless puff which is not relevant or helpful. It also means that you only have to offer up the pieces of work which you are unsure of. My way of thinking is that I will use this service, to get my work checked for any glaring omissions or terms which could be seen as vague or easily misinterpreted.
For anyone who has read my other posts, you will see that my language is often full of colloquialisms and examples. This is not something which an ICO official will want to read. Your language should be concise and to the point with no room for interpretation. A qualified legal professional will take your work and ensure that it will stand up to scrutiny.
[Since initially writing this blog post, back in March, I have spent a lot more time with my head in GDPR. I have completed several training courses and spent hours listening to and partaking in seminars designed to get ‘industry’ ready for the GDPR deadline (which has now been and gone, incidentally, without any massive admin explosions or immediate next day fines for me or my company) and from this, I have become fluent enough to assist several other companies (including some of my suppliers and data processors) in writing and implementing their GDPR policies and procedures.That being said, my work has still been passed through a legal team to ensure that correct advice has been given.]
Do it yourself and keep your fingers crossed.
This may sound like me being cynical, believe me, it is not! If I ran a small company, then I’d probably take a read of this, work up a few policies and procedures and leave it at that. I’d have no real need to delve into the nitty-gritty of what GDPR means and how I can safeguard my company and my customers. For a lot of companies, having an awareness of GDPR and being vigilant in how data is collected, used, stored and disposed of is going to be enough.
As it is, I am the Business Administration Manager for a company who has in excess of a £3 million turn over per year and is rapidly expanding, and as such, we cannot afford to be lax in such areas as GDPR. If we were to be reported to ICO for a breach then we could find ourselves in serious trouble. It is, therefore, my job to ensure that all policies and procedures put in place by me and my team are robust enough to protect the data and ensure that we do not leave ourselves open to any misuse or loss of personal data of our customers, prospects or staff.
For those of you who are interested in reading more of what I say about GDPR, please see my next post.