This is a very interesting piece from David Fanning of Spiceworks. It touches upon how the IT departments normally get the stick for lost or tampered information, but under GDPR, it relies on all departments of the business.
With its rules about the way companies interact with the personal information of European Union citizens, General Data Protection Regulation is going to affect the way entire organisations operate. But the word “data” may mean business stakeholders relegate the issue to their IT departments and ignore its implications throughout the rest of the company.
That’s a logistical misstep IT professionals can take the lead to address.
Of course data protection entails IT teams — but data protection and privacy laws are important for every department to consider carefully. If there’s a problem, it’ll be from the least well-informed department; make sure that’s not yours
Compliance isn’t a game of hot potato; it’s a team effort. It’s important that all staff is aware of privacy and data protection laws. However, it’s not the job of the IT department to educate and enforce compliance. Not alone at least.
There’s enough work to do to uphold the privacy-by-design goals of GDPR without taking on the roles of teacher, police officer, legal counsel, and marketing copywriter. You may be the first to know about GDPR requirements; you may eventually find yourself nominated as the Data Protection Officer if that’s the path you choose. But it’s important not to shoulder this responsibility alone.
GDPR compliance is a cross-business project that affects all data flows — including paper records. IT is almost certainly the wrong function to own this compliance activity, although they have a key contribution to make.
That is certainly the case in big companies. Smaller companies may not have enough senior people to handle the compliance project. Whatever the case, the IT department will have the most work to do to comply, and will almost certainly be the first to hear about GDPR. IT will benefit most from early planning, so don’t be backward in coming forward if nobody has mentioned GDPR to you yet.
Stakeholder analysis
One sure fire way to impress senior management is to do your homework, and demonstrate how different departments can contribute to compliance. The first step towards that will be figuring out who will be most affected by, or have an interest in, GDPR compliance.
Make a list by department — or for smaller businesses, by individual staff members. From that list, identify any potential allies. Make time to speak to them individually about GDPR, explaining how it will affect them or their department. Get as many people on-side as possible.
Ideally, meet with the head of the organisation to explain GDPR too. The more people that have some understanding of GDPR. The easier that first management meeting will be.
Nobody likes feeling dumb, ill-informed or behind the curve, especially in front of an audience. Help people get up to speed early, and you’ll avoid howls of incredulity and a million questions or interruptions.
Who does what?
If you’re looking for a challenge or career advancement, then volunteer to take on the role Data Protection Officer (DPO). The legislation is deliberately fuzzy around whether employing a DPO is a legal requirement, suggesting it is for some organisations without specifying which ones. Organisations should certainly assign one person oversight for compliance, and “DPO” is the appropriate term of art.
There are no qualifications a DPO must have, and no such qualifications issued by the Information Commissioners Office, or any EU official bodies. However taking a short course on GDPR is a good way for a budding DPO to cover all the bases. The alternative is to hire a part-time or full-time DPO. The world of compliance is not for everybody; it’s one of many tangents a career in IT can take. If it’s not your thing, don’t force it, but if it is, there’s a good career to be made of it.
The DPO may lead the project, but that’s not the same as doing all the work. The IT aspects of compliance will keep that department busy enough. There’s no need to fill the role of legal counsel, marketing, HR, accounts and sales in one person. Let experts in other departments help with the rest.
Data protection by design
This is the real challenge for the DPO (and for the IT team if the two are separate). It starts with a Privacy Impact Assessment (PIA), which is an in-depth investigation of current systems and practices. The ICO has a short-ish 50-page code of practice for the PIA.
It’s a lengthy process, so a top priority for the DPO, as it will highlight needed changes. Only then can the company start the even longer process of becoming GDPR compliant. This could take weeks, months, or even years. Which will be awkward for organisations yet to initiate the process.
Remember that no IT department is an island. When it comes to GDPR, it takes a village.
To read the full blog and check out the author of the blog, click here.