GDPR or Bust?
In this post, I’m going to slowly build up a head of steam in preparation for a journey heading in one of many possible directions towards ‘General Data Protection Regulation’ (GDPR) compliance. Before moving slowly forward I review the point at which this journey begins for many Irish small to medium business, micro firms and non-profit/volunteer organisations who should be scheduling their arrival before the 25th May 2018 deadline.
On route we’ll stop off to sample some of the GDPR preparation guides already available and the other online information to help speed the journey through the unfamiliar territories and safely over those steep valley gorges. Before journeys end, there maybe steep inclines, dangerous bends, troubled waters to be bridged and mountains to be avoided. Some of our journey men and women may be left standing on the platform unsure as to when to buy a ticket to board the GDPR express. Other ticket holders maybe still battling with themselves as to if and when is best to climb aboard.
Jumping aboard myself, I find some passengers asleep safe in the knowledge that their time spent on pre-travel checks allows them to sleep soundly confident that their on the right track, heading in the right direction, at maximum speed towards GDPR compliance. But for some of my fellow travellers, there may still be trouble ahead as dreams can turn to nightmares and that nagging feeling you get that you may have left something or someone behind. If so, that feeling maybe supported by existing statistics which suggest a possible rude awakening around the bend awaits many small Irish businesses and non-profit organisations.
Looking around the carriages, I noted a large number of empty seats. Statistics from a Survey reported in May 2017 suggests that the GDPR Express train was running on-time but far short of its expected ticket sales and seating capacity as “just 14% have begun getting ready” to make the GDPR journey. As much as 86% possibly remain behind waving us a fond farewell from the platform. The statistics appear to suggest these small to medium enterprises and micro firms are left behind because for them, GDPR may not apply and they may lack the fullest understanding of the strategy, requirements or obligations needed at the end of the line.
With only 4 months to go and for such a journey ahead, many could fail to hear the final whistle, catch a later train or even miss the last train. In an globalised online world of outsourcing, cloud computing and remote hosting, sometimes those we very much rely upon as service providers, vendors and suppliers need to join us on our journey as our nearest and dearest travel companions but have been left behind as we speed away towards “GDPR or Bust!”.
GDPR or Bust may seem overly dramatic but right or wrong, in preparation for GDPR, I will outline some helpful resources, statistics and further reading I’ve encountered during my research journey. On route, I stop off to borrow from my earlier post on ‘Breaking Brexit’ to begin outlining a possible project approach to forming, preparing and implementing GDPR preparation strategies. If your not sure what GDPR is and statistics may be suggesting your not alone, the Data Commissioner (Ireland) has an excellent website with reading materials, resources and a ’12 step guide’ to help get you started on the right track and heading in the right direction departing from here: GDPRAndYou.ie
Lets Get Packed!
Before buying your ticket for the GDPR Express and choosing your destination, direction, track and fellow travellers, here’s some of the many snap shots I took on route that may help to ease the journey ahead of you. But before you step aboard and the train gets underway there are a few little travel essentials we need to first get organised. Again, like my previous posts we need to stop off for a reality check and to say I hope you will find this post a bit different, proactive and informative rather than the usual dry scary self promotion … there’s a lot of it about!
As a project manager, I do not promote myself as a GDPR or legal expert, specialist or consultant but do frequently get asked to help in formulating strategy and lead projects to implement the strategies required to get the job DONE! The idea at the heart of this post’s objective is to get people thinking, talking and hopefully doing something positive ahead of the GDPR deadline. While there maybe lots of sources referenced or cited in this post, this post is not intended to promote or endorse any particular thinking, source, view, option, opinion, action or approach and the reader is requested to keep an open mind when reading this post, referencing the linked sources or materials and the information presented.
To allow this post to continue to add readernow and into the future, the post is a living post being changed, corrected, updated and amended over an extended time as new information and sources are considered to be worthy of readers further consideration. If you have something you feel is related and worthy of consideration and sharing, please add your comments below. In short, every project, approach and journey will be different. The reader should fully consider the unique context of their projects requirements, scope, budget, obligations, risks, requirements and constraints.
Readers are strongly recommended to seek professional and expert specialist advise and guidance when required.
Watch The GDPR World Fly By
As we set out on our journey there are lots and lots of small stopping points to review interesting information on route. Each little station has its own insights into the world of GDPR. Looking out the window we merely get a brief flash. If you want a closer look pull the cord (click on the link), stop the train and step off to sample more of what’s on offer otherwise, sit back, enjoy the ride and watch the GDPR world fly by. Before we get ahead of ourselves, our journey begins slow and steady. Lets begin at the GDPR beginning.
“The General Data Protection Regulation (GDPR) is a new piece of data protection regulation which will become law across the EU in May 2018. It will replace all current data protection regulations.”
“The General Data Protection Regulation (GDPR) very significantly increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. At the centre of the new law is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.”
So, if your interested to stop off and take a more detailed visit with how does the new GDPR differ from the existing ‘Data Protection Act’, pull the cord now by clicking on the following link and stop off to spend a little time taking a closer look at The key-changes
As the deadline of 25th May 2018 fast approaches, statistics suggest confusion remains for many Irish Small Business around formulating General Data Protection Regulation preparation strategies, implementation plans and compliance activities. This possible confusion may cross profit and non-profit boundaries in organisations of all sizes from micro to global enterprises. Small and micro firms could be more susceptible than most. Such statistics go as far as to suggest for some it could be a choice between … GDPR or bust!
GDPR is not new! … To better understand a future with GDPR we need to reflect and back track on its origins to before 2014! You can read more about ‘The History of the General Data Protection Regulation’ by the European Data Protection Supervisor. In ‘GDPR: The Story So Far’, PwC take a more detailed overview of the more recent history of GDPR.
Hype, Hysteria and Hyperbole
When we need expert help, we often turn to those we believe to be experts for advice and guidance. My research turned up this insightful and interesting summary posted by Martin Rowland on LinkedIn. Martin samples some of the “Resellers spar in GDPR debate” discussions between resellers and ‘Managed Service Providers’ (MSP’s). MSP’s are often those information technology (IT) service providers that manage and assume responsibility for providing a defined set of services that clients could look to for such guidance. The summary thoughts of individual speakers on GDPR are to “Keep calm and carry on”, “It’s not going away”, “Just follow good practice” and “Just get on with it” didn’t really inspire my confidence that the existing Hype, Hysteria and Hyperbole around GDPR is going to go away any time soon.
The Biggest Challenge
If your big into the technical end, data security in cloud computing, secure backups, Internet of Things ( IoT ) in managed service systems in a future with GDPR, I found the ‘GDPR in the Channel’ round table discussion revealing and well worth a watch. On the question of market conditions for MSP’s in a world ahead of the GDPR deadline, one panellist Dave Sobel of SolarWinds MSP commented that “… its (GDPR) the hottest topic … there is obviously a lot of uncertainty in the market her right now, particularly when you look at compliance and regulation and that’s the number 1 area”. Another round table panellist Scot Dodds of Ultima Business Solutions goes on to suggest “… there’s real risk, real risk to businesses, there’s 4% of global revenues as a fine, these are serious implications and how that’s managed when it comes to it (the deadline) on May 18 (2018) who knows, we talk about … how probably your biggest challenge is your competitors or customers blowing the whistle on you rather than anything else …“.
Reflecting on what appeared to me to be a growing consensus between the debate and round table panellists that the biggest challenge was “GDPR is 95 per cent a legal issue” which suggested the legal eagles would be the first required to pick over the bones of GDPR.
Low Flying Legal Eagles
I would need to call a legal eagle and all be it an unscientific crude experiment ask a simple question. I decided to call a small town down to earth local solicitor who I deeply and professionally respect. So what did I say to this low flying legal eagle? … ‘I am looking for some legal advise on GDPR … is this something you can help me with? or is there another legal firm you recommend that specialises in GDPR?’. As I expected the reply was swift and direct and to be honest, much as I had suspected.
While ‘What does GDPR stand for?’ would be what I expected to hear, I cant even say I was surprised by the down to earth home truths shared with me next. The recommendation I would summarise as ‘You’ll most likely need to call one of the big Dublin based legal firms’. Ok, no real surprise there then, until he drove his point home with the precision and accuracy of his eagle eye focused on the reality that was for him blindingly obvious and simple. Many small businesses, never mind those humble little, most often can not afford to call down a flock of high flying Dublin based legal eagles to help formulate and implement a GDPR strategy, let alone pay to get the job done right this side of the deadline.
Measuring GDPR ready-ness?
Never happy with unsolved problems or unanswered questions, my question was … how to measure if the solicitors point had anybasis? So I went in search of what others had to say on the subject, here’s what I found …
“The GDPR expands the territorial scope of EU data protection law, meaning a greater number of organisations will now be subject to it.”
“Two thirds of Irish businesses are unaware of their obligations under the impending “game-changing” general data protection regulation (GDPR) which comes into law next May, a report has found.”
“The GDPR will become law in May 2018 and will be the biggest change in data protection rules to occur in Ireland. “,
“The new data protection laws in the General Data Protection Regulation (GDPR) are applicable to organisations of all sizes, including Small & Medium Enterprises (), but many small businesses have not begun preparing for this comprehensive piece of legislation.”
( Independent.ie )
Digging a little deeper I then turned up the following …
“Only 16% have already mobilised a project to meet the compliance requirements;”
( Mazars.ie )
One could draw the interpretation that flipping this 16% statistic could also suggest that as much as 84% have Not! yet mobilised a project to meet the GDPR compliance requirements.
“(23%) of Irish organisations would be forced to close if they were found to be liable to fines under impending General Data Protection Regulation (GDPR) legislation.”
( BusinessWorld.ie )
What’s possibly coming down the line?
In summary, as a worst case … what could possibly be coming down the line? … Armed with little more than a suspicion supported by statistics and media reports turned up by my research, its easy for me to conclude that there maybe a risk to a large number of small businesses and not-for-profit organisations. Such organisations perhaps historically may have been asleep at the ‘Data Protection’ controls and now are awaking to a runaway train demanding they quickly regain control and avoid a train wreck by jumping rails in order to get back on track in a more GDPR compliant direction. Others maybe gambling that down the tracks, a band of competing desperado’s are not laying in wait, ready to blow the tracks and derail those late departures. Even few of those last trains could have gambled on an ill-fated “wait-and-see” strategy intending under the cover of darkness to sneak into ‘Compliance’ town sometime after the deadline in hope of passing unnoticed by the local sheriff. Regardless of my suspicions, statistics or well informed insights … if you have not taken the journey and arrived safe and sound, perhaps its time to get on board. If your not exempt and not yet GDPR ready, perhaps the first steps to be taken are to Prepare for GDPR.
Prepare for GDPR
www.GDPRAndYou.ie is a first stop for many of those hoping to lay down tracks heading in the right direction as their first steps toward becoming GDPR ready, the Irish Data Commissioner has compiled a summary of its own simple 12 step infographic which can give you a good insight into the major milestones you’ll need to visit on route.
Data Commissioner (Ireland) – 12 Step Infographic
The Data Protection Commissioner (Ireland) published a more detailed deeper dive into the above 12 step infographic entitled ‘The GDPR and You – Preparing for 2018’
IBEC have created two helpful guides on the GDPR including one which offers guidance for Irish employers.
John Kennedy writes for SiliconRepublic.com that ‘GDPR is a year away: 7 things you need to know to take action’.
“In a recent report, Managing Insider Risk through Training & Culture, data protection and privacy training professionals stated that their employees are their weakest link when it comes to information security. The Data Commissioner advises it is good practice to provide all staff data protection training on or shortly after starting employment and regular updates throughout their employment.”
( Legal-Island.ie )
“One final piece of advice: Don’t ignore it. Don’t bury your head in the sand and hope that it will go away, because it won’t. Find out today where it really impacts your organisation and build a tangible roadmap for addressing it.”
I found a collection of 10 part articles complete with side bar ‘Recitals’ entitled ‘Top 10 operational impacts of the GDPR’ by the International Association of Privacy Professionals. It takes a deeper dive than most 3rd party articles and makes for good reading when formulating a GDPR preparation strategy.
There are lots and lots and lots of articles about how to make good on your GDPR preparations … to many to mention. Needless to say researching around the topic as I have, I am left with more questions, black holes, grey areas and gaps than when I started, but that’s all part of the ongoing learning process with GDPR, for example …
GDPR Gaps, Grey Areas, Black Holes & Pitfalls
GDPR is not without its own gaps, grey areas, black holes and pitfalls as you may find if you start asking questions such as …
- How is ‘Large amounts of personal data’ defined and measured?
- Are the details of my ‘economic’ investments and interests defined as ‘Personal Data’?
- How to bring 3rd Party service providers/data processors and joint data controllers into GDPR compliance? (the GDPR ‘Personal Data’ supply chain)
- What about the Electoral Roll? and Oireachtas members obligations under the GDPR?
- Achieving GDPR compliance in the globalised world of the Internet of Everything?
- What does GDPR mean for WordPress Developers?
- What does Brexit mean in an EU of GDPR?
- The role of legacy systems in a future with GDPR requirements and obligations?
- How to validate GDPR compliance?
- How is the ‘Data Protection Officers’ knowledge and expertise defined, measured and validated?
- How is ‘Personal Data’ “sensitivity” defined and measured?
- How is “proportionate” defined and measured under GDPR?
- How is “high risk” defined and measured?
- Will there really be no lead GDPR supervisory in the Uk when Uk finally Brexit’s?
- How is “High volume” defined and measured?
- How is the “Appropriate technical or organisational measures are to be taken in order to comply” being defined and measured?
- How is “Occasional” defined and measured?
… and the list just keeps on growing …
When struggling with such questions, it can help to take ‘A Closer Look At Definitions’.
Example Simple Project Implementation Approach:
Approaching GDPR preparations is similar to the possible approaches to ‘Breaking Brexit’, it can be simple but intimidating in scale to the point that some may lose focus on the bigger picture. Just like eating an elephant, the best way to approach this mammoth task is to eat the elephant one small bite at a time.
A common first step to most implementation projects regardless of type is to first clearly define the problem and the objective and then communicate these widely to all key stakeholders seeking their feedback and agreement. Sometimes in small organisations, business and firms a simple approach can gain the greatest traction and avoid spinning those wheels in the muddy details. On its own, at sight of the Shewhart (aka Deming) cycle helps to visualise a more simple problem solving approach to strategise those more complex problems. Blending and tailoring this simple approach we can create an agile approach more natural to small enterprises in the hope of ‘Making Projects Simple’ as follows:
The Problem With GDPR
Approaching GDPR preparations can be similar to the ‘Breaking Brexit’ approach, it can be simple but intimidating in scale to the point that some may lose focus on the bigger picture. Just like eating an elephant, the best way to approach it is one bite at a time. A common first step to defining the problem with GDPR is to begin by defining a ‘Problem Statement’. A good problem statement clearly defines the problem to be addressed and communicates to all key stakeholders and invite their shared understanding, feedback, buy-in and commitment if a more widespread agreement is required.
Example Problem Statement
Assuming all the feedback is in, and the problem is clear and agreed, a further step maybe to create an overall SMART objective for the over arching project for example:
“Go-Live! with GDPR validated processes, policies, practices and procedures on or before the 19th of March 2018.”
Both the ‘Problem Statement’ and the ‘SMART Objective’ could now come together and form the starting point for the ‘Project Charter’. The ‘Project Charter’ acts as the contract of agreement between the key stakeholders, sponsors, promoters and the project team. It is a living document which spans the life of the project and as a signal A4 document can become the parent of a series of smaller prioritised bite size projects.
For each project, we can add a helpful visual that summarises the project milestones and deliverables using a ‘Project Timeline’. The ‘Project Timeline’ can be further broken down into more and more detailed ‘Project Timelines’ for those smaller bit size projects as children of the overall parent project I mentioned above.
You may have noticed in the example ‘Project Timeline’ a number of overall high level milestones are shown with possible dates for completion. Each milestone often signals the end of a significant phase of the project and a stage gate for management to check in on progress and approach before the next body of work (or bite of the elephant) is approved. This is important to keep in mind because, usually the bulk of the detailed planning work in such projects is completed early and the bulk of the resource heavy execution is completed in the later phases of a project. So lets roll back to the early phases before slowly rebuild our speed.
In ‘Breaking Brexit’ there was a helpful preparing for Brexit Scorecard self assessment, when assessing ‘Data Protection Act’ ready-ness for the first time, the Data commissioner (Ireland) has a helpful ‘CheckList’ in the form of a series of questions. Again, the Data commissioner (Ireland) has also published its ‘Check List’ but now for the GDPR as part of The GDPR and You – General Data Protection Regulation – Preparing for 2018. Because the UK and Ireland share a lot in common, I found the ‘Getting ready for GDPR’ which is freely available online from the UK’s ‘Information Commissioners Office’ high level assessment is a simple early warning system of self-assessment utilising a similar approach to that of the ‘Brexit Scorecard’. If you find this approach helpful, it maybe worth your time also taking a look at the full ‘Data Protection Self Assessment Toolkit’. If you want to dig a bit deeper into many of the GDPR definitions, the Isle of Man Information Commissioner has published a helpful PDF that takes ‘A Closer Look At Definitions’.
More project activities you should also consider as you formulate your GDPR preparation strategy could include:
- Training for staff and any appointed ‘Data Protection Officer’ (DPO)
- Self Assessment of current and ongoing GDPR readiness and compliance
- Process Mapping of all the existing personal data processes
- Gap Analysis between the GDPR ‘As-Is’ readiness and the GDPR ‘To-Be’ readiness
- GDPR Preparation Strategy (What needs to be ‘Done’)
- Implementation Plan (‘Who’, ‘How’ and ‘When’ of getting the job ‘Done’)
- Validation Processes, Change Management and Sign Off to manage the change required, ensuring its ‘Done’ right
GDPR or Bust!
There are exceptions for organisations under GDPR. By in large GDPR applies to more organisations than previously was applied by the ‘Data Protection Act’. The is a risk that, those who did not previously register as ‘Data Controllers’ or ‘Data Processors’ will on the 25th May 2018 be deemed to be ‘Data Controllers’ or ‘Data Processors’ and obligated to comply as such. Regardless of reason, not applying GDPR when GDPR needs to be applied could signal a runaway train heading at full steam towards a real disaster.
The Irish Pedigree Livestock Industry
As a 20 year technical veteran of the Irish agri pedigree cattle and sheep livestock industry I have a number of concerns about small and micro organisations asleep at the wheel and oblivious to the pending train wreck if they fail to hear the GDPR express train coming the other way. This could be an even greater risk if 3rd party service providers as ‘Data Processors’ expose or compound any existing GDPR gaps in the organisations processes, practices, policies, procedures and legacy systems.
Compounding this risk could be the GDPR ‘Opt. In Consent’ requirement where existing consent was gained previously and is no longer valid. Outdated rule sets, terms and conditions, contracts and agreements which pre-date GDPR and remain without comprehensive revision also could be a risk and signal danger ahead.
Its not difficult to imagine that some small to micro ‘Not-for-profit’ agri industry organisations could be included in those possible 84% who have not begun to implement a ‘General Data Protection Regulation’ preparation strategy as suggested by statistical data gather back in April of this year.
In the case of GDPR, a failure to plan could signal the end of the track for some small organisations.
So hopefully this article can help to inspire those with a need to get on board and take the GDPR express train journey towards GDPR compliance and so avoid the gamble of GDPR or Bust!
- Coming Soon! – Simple Project Implementation Portal
- Data Protection Commissioner (Ireland) – General Data Protection Regulation
- My Breaking Brexit post
- www.Independent.ie – GDPR What, Why, Where & When
- Data Protection Commissioner (Ireland) – www.GDPRAndYou.ie
- Data Protection Commissioner (Ireland) – Self Assessment Data Protection Checklist
- European General Data Protection Regulation Portal – EU GDPR Key Changes
- The European Data Protection Supervisor – ‘The History of the General Data Protection Regulation’
- PwC – ‘GDPR – The Story So Far’
- Martin Rowland – Resellers spar in GDPR debate – Highlights
- CRN ChannelWeb.co.uk – Resellers spar in GDPR debate
- CRN ChannelWeb.co.uk – GDPR in the Channel
- www.GDPRAndYou.ie – GDPR 12 Step To Being Prepared
- www.GDPRAndYou.ie – Awareness Of, and Preparation for, the General Data Protection Regulation, in
- www.GDPRAndYou.ie – DPC Press Release – 365 to GDPR
- www.GDPRAndYou.ie – A Guide To Help SMs Prepare for GDPR
- IrishExaminer.com – Warning issued on upcoming General Data Protection Regulation
- Mazars Ireland – General Data Protection Regulation Survey Finding
- George Parapadakis – #Fake-GDPR and #GDPR-mongering – Let’s keep it real!
- www.IrishTimes.com – TDs fear new data protection rules will hamper constituency work
- EmploymentRightsIreland.com – The General Data Protection Regulation (GDPR) in Ireland-the Essentials
- IBEC – IBEC Guides on the General Data Protection Regulation (GDPR)
- BusinessWorld.ie – 23% of Irish companies would be forced to cease trading if found liable to GDPR fines
- Independent.ie – and GDPR…Benefits, exemptions and why Irish businesses need to prepare
- Mason Hayes & Curran – New ‘Getting Ready for the GDPR’ Guide
- Legal-Island.ie – Data Protection in the Republic of Ireland Workplace
- John Kennedy / Silicon Republic.com – GDPR is a year away: 7 things you need to know to take action
- John Kennedy / SiliconRepublic.com – Majority of organisations expect a GDPR audit in the next 18 months
- Data Protection Commissioner (Ireland) – The GDPR and You – General Data Protection Regulation – Preparing for 2018
- Cisco – Introduction to GDPR (from a Brexit Perspective)
- KuppingerCole – Is Your Software GDPR-Compliant? Is That the Right Question?
- International Association of Privacy Professionals – ‘Top 10 operational impacts of the GDPR’
- Information Commissioners Office (UK) – ‘Data Protection Self Assessment Toolkit’.
- Information Commissioners Office (UK) – Preparing for the GDPR – 12 Steps to take now
- Information Commissioners Office (UK) – Getting Ready for the GDPR – Checklist
- European Commission – Data Protection – Better Rules For Small Business
- European Commission – Code of Conduct on privacy for mHealth apps has been finalised
- Information Commissioner (Isle of Man) – ‘A Closer Look At Definitions’
- Information Commissioner (Isle of Man) – The General Data Protection Regulation
- Information Commissioner (Isle of Man) – Getting Ready For GDPR – Part 1
- Information Commissioner (Isle of Man) – Getting Ready For GDPR – Part 2
- Fieldfisher Law Firm – The ambiguity of unambiguous consent under the GDPR
- Official Journal of the European Union- Regulation (EU) 2016/679
- European Commission – Factsheet on the “Right to be Forgotten”
- European Commission – Code of Conduct on privacy for mHealth apps has been finalised (a good non-technical practical contextual read)
- Version1.com – GDPR – Key Impacts and Architectural Implications: What you Need to Know
- SecureDataService – EU General Data Protection Regulation (EU-GDPR) – Table of contents
- Commission Nationale de l’Informatique et des Libertés – Data Protection Around The World
- DLA Piper – EU General Data Protection Regulation – Actions To Take (A Snapshot Assessment)
- The Association of Data Protection Officers – Will Brexit complicate GDPR?
- ThinkBusiness.ie – A GDPR Guide For Start-ups and Small Business
- Computing.co.uk – GDPR: Organisations ignoring paper-based risks (Free registration required)
- Computing.co.uk – GDPR: The Death Of Telemarketing? (Free registration required)
- National Cyber Security Centre (UK) – Cyber Security: Small Business Guide
- European Data Protection Supervisor – Implementation of Data Protection by Design and by Default
- Intersoft Consulting Services AG – Professing of ‘Speical Categories’ of ‘Personal Data’
TO BE CONTINUED! …
Lean is Green not Mean
How Can VoC Work For Micro Firms?
Battle cry goes out to small businesses – it’s time to innovate
Lean Innovating A New Manufacturing Service
97.5% have no website performance analytics!
Leaning Into Services
Lean is Green not Mean
How Can VoC Work For Micro Firms?
Battle cry goes out to small businesses – it’s time to innovate
Lean Innovating A New Manufacturing Service
97.5% have no website performance analytics!
Leaning Into Services