Despite all the noise around GDPR, there’s still a lack of clarity on how organisations can actually achieve compliance. The waters are being muddied further by increasing numbers of instant ‘experts’ claiming that they alone have the magic bullet to address GDPR requirements. Many companies are also asserting they can make organisations GDPR compliant – fast, but without gaining a thorough understanding of their business – this would prove pretty much impossible.
The reality is that each business is different and unique in its own ways – so any off-the-shelf, one-size-fits-all systems, or quick fixes – will prove ineffective. Ultimately, the most appropriate GDPR partner will have an organisation’s best interests at heart and possesses the expertise required to deliver successful outcomes. Here are five key questions to help organisations make an informed partner selection – so they can effectively tackle GDPR compliance – in both the short and longer term.
1. How long have they been providing compliance and data protection services?
GDPR may be today’s hot topic – but compliance and regulation isn’t new – it’s something that’s affected IT departments, in some sectors, for many years. Knowing about GDPR is one thing, but having hands-on experience, great relationships with other experts in the field and access to specialist tools – really sets apart the best partners. Also, establish if a potential partner is GDPR compliant themselves – there’s no point in an organisation investing valuable time and money in a company that hasn’t already achieved this.
See also: The GDPR is not all doom and gloom
2. Have they worked in regulated markets?
The best GDPR partners will already have this wealth of knowledge and a strong track record – especially in regulated sectors such as; banking, legal and insurance. A partner who has worked with clients who already comply with industry regulation will know that GDPR compliance means much more than just data discovery or security. True experts will understand the bigger picture and advise on the best way forward based. If they can only talk about their experience using theoretical scenarios – organisations should avoid them.
3. What are their relevant accreditations?
GDPR encourages the use of certification schemes like ISO 27001 – the international best practice standard for IT. Companies who comply with ISO 27001 deliver the appropriate technical controls, policies, procedures and promote a culture of awareness of information security. Achieving ISO certification is a great way of proving to the regulator that a supplier has taken the necessary steps to comply with the data security requirements of the GDPR.
A partner should also follow ITIL best practices and help organisations use it to implement and adapt processes for GDPR compliance. As part of the GDPR, organisations will need to have mechanisms in place to deal with customer requests – such as requests for erasure. ITIL will ensure that they have a great request fulfilment process in place to deal with the volume of requests they may receive.
4. How will they actually help an organisation become GDPR compliant?
As we mentioned, there is a lot of noise out there and many companies are offering to get organisations compliant, but will their product or services actually help? Different types of businesses will hold different kinds of data. The more knowledgeable in the industry will not offer a one size fits all product but apply practical knowledge and experience to establish what’s possible, what should be done – in what order, and what should just be documented and accepted – in terms of risk.
The key to success is when a provider takes time to understand the unique data risks of each organisation, and how these can be mitigated – in a secure and compliant way. Options to be considered include a compliance assessment that identifies an organisation’s GDPR state of readiness, and solutions that help optimise the control, visibility and responsibility of data.
5. Can they work with a variety of technologies/IT systems?
A GDPR partner might have the tools to get 5000 Microsoft users compliant but may not be set up to work with the specific IT systems that an organisation has in place. For example, an organisation may use a range of different systems and tools and need partners who can adapt their process accordingly. Organisations should therefore ensure that the partner they choose can help them achieve each of the aims and objectives set out in a GDPR plan.
It should be noted that the data protection reforms are not entirely bad news for organisations. Whilst not necessarily wholly self-evident, there are many benefits to compliance with the new reforms. By reducing the likelihood of a breach, means avoidance of fines associated with non-compliance and reputational damage from adverse publicity.
Other ‘wins’ could be reinforcement of customer focus and governance rigour amongst stakeholders and reassurance to both customers and regulators that best practice has been followed. Also, completion of privacy impact assessments can help ensure that problems are identified at an early stage, as addressing them early will often be simpler and less costly
The new compliance requirements can also be a driver for business process re-engineering. An organisation may take the opportunity to save money and reduce compliance cost by minimising the amount of information being collected or used – where this is possible. This may result in more straightforward processes for staff.
Sean Hanford, information governance consultant at Bluesource