Without much hesitation, I am certain that my experience of the past eighteen months has been similar to others. Attending and consuming countless GDPR focused conferences, webinars, panel discussions, blog posts and webinars in an effort to strengthen my own grasp of the topic and to trade suggestions on real-life application with peers. There is much to gain from such occasions.
Getting the perspective of those who face the challenges posed by integrating the GDPR into a variety of different business verticals can be fascinating...in a data protection sort of way. How can I continue to collect CCTV images? What about international passenger flight manifests? What do I do with the thousands of contact details I have collected, for marketing purposes, pre-GDPR? Will I still be able to purchase contact data?
Answering a Question with a Question
The one question which all in attendance ponder is where to start? How to begin their GDPR journey in the most effective way?
The stock standard answer a personal data audit, a process of discovering what personal data is currently held, collected, stored and processed and the workflows which define its lifecycle. This advice is not without merit and is a good starting position, however it doesn't account for those who have no need to perform such a task or may already have completed it as part of a previous compliance toolkit. This advice, while well-meaning, assumes that all existing privacy policies are equal.
Where is the Starting Mark?
Understanding where to begin is reliant on understanding where you currently stand. Very little in the pages of the GDPR are truly new or innovative, in fact one of the reasons the administrative penalties have received so much attention against other aspects is due in part to the unprecedented values. It is an example of very few items which have not been inherited (either directly or with some power-up) by the Data Protection Directive 1995 or influenced by ISO27001.
Taking this into account, many businesses and organisations may already be further ahead in their GDPR preparations than they previous thought. The Data Protection Act 1998 in the UK which was a result of the Data Protection Directive 1995 has been in force for almost 20 years, any organisation worth their name will be compliant meaning much of the GDPR work is just a tweaking of existing policy. In addition, ISO27001 and its resultant ISMS (Information Security Management System) is an ideal framework for a short hop over the GDPR compliance. Therefore, posing one answer for all when asked the question of where to begin is foolhardy. Instead, consider a simple task of baselining or assessing the current posture against where you need to be in 2018.
The Shortest Distance between Two Points
By assessing your GDPR posture today, you can measure the distance between the now and the tomorrow. Giving you focus on those articles and tasks which will require the greatest effort and revealing quick wins in areas where you may already be compliant, or near to.
Such assessments can be a carried out in-house should you have personnel who are sufficiently briefed on the regulation, or by the countless service providers offering GDPR related assessments and gap analysis activities.