The EU General Data Protection Regulation (GDPR) is a recent law on privacy and protection of personal data of individuals, who can include employees, customers, or supplier personnel. All organisations who provide services to or process the data of EU residents need to comply with the EU GDPR. As the EU General Data Protection Regulation has many requirements around privacy and protection of personal data, it can be overwhelming when organisations start their journey for compliance with this regulation. Naturally, if there are so many requirements, they would cover multiple parts of an organisation, and this would require engagement amongst multiple stakeholders in many departments.
In a large or mid-sized organisation, this is truer and more relevant because the broader the topic, the more stakeholders and the more challenges there will be. The only way you can resolve this challenge is by identifying risks, listing priorities, and aligning these with all involved. In this article, we discuss the very first things that you must do when you start your GDPR project, and possible options you have when initiating your GDPR compliance project.
The first things to do as part of GDPR compliance
The first and foremost thing to comply with the GDPR is to put a priority on it. It may sound simple, but as you consider putting your efforts into becoming compliant with the EU General Data Protection Regulation, you may think of other priorities that you have. And, you may also feel that those ongoing actions have higher priority. I don’t mean that your priorities are right or wrong, but I recommend that you consider putting a priority on the GDPR. For this, the following three potential benefits of compliance with the GDPR need to be understood:
- Avoidance of fines. Fines for the GDPR are very high. Forget about 4% of global turnover or 20 million euros; no owner or top manager wants his or her company to pay even a fraction of this amount. You need to use this number, convert it into an amount relevant for your company, and put this in context for top management.
- Risk of lawsuits. Fines aside, the GDPR enables customers to file lawsuits. The cost of these cannot be estimated, but they must be avoided. Again, no one wants this to happen to their company, and you to need to use this point to convince yourself that compliance actions can help you mitigate the risk of this happening to your company.
- Reputational risks. While fines are part of the tangible costs, a data breach or a lawsuit can put your company’s reputation and brand value at risk. Again, no responsible person wants this to happen, and you to need to articulate this in your story.
Now, I’m not saying that these three risks are the only reasons for your company to implement compliance with the GDPR, but I am saying that these are factors that will get you to focus and start to act. And, once you have understood these, the next challenge will be having this as a shared priority with key stakeholders.
Once you have identified key stakeholders, it is time to establish the project by choosing a project management team. A good project management team with the right mix of resources will ensure that compliance actions are identified, executed and followed thru. In doing so, you have some options to choose from, and making the right choices is key to the timely completion and success of your project.
In my opinion, there are three basic options to implement compliance: (1) do it completely using your own employees, (2) use a consultant, or (3) (somewhat in the middle) implement the standard with a Do-It-Yourself approach, while taking advantage of external know-how as and when required.
Ready, steady . . . go
Compliance with the GDPR requires managing priorities, understanding and evaluating risks, and choosing what to do first. Once you know what the most important risk is (or risks are) to manage, you should prioritise and prepare an approach in line with that. As part of your initial choices, you should also decide if you do it all within the organisation or rely on external help. All these choices are key to a good start. So, go and identify the risks, prioritise, and then establish your GDPR implementation project.