It's my third instalment in the epic series that is our journey towards compliance with the GDPR. We're about to be externally audited.
So, it's episode three (III) and we're all blasters blazing; we've got our regulatory team updating policies and procedures, we've got our marketing team developing new processes by which we capture and manage consent and we're on with applying measures to ensure we can easily get rid of data once we no longer have a genuine reason to process it. Plus, lots and lots of other things.
And, we're being externally audited next week and this is actually awesome.
For two days, the auditing organisation are taking our policies and procedures away and reviewing them. For a further three days, they're on site physically auditing our people, processes and systems. Sounds good to me.
Since we kicked off our journey, we've sought all the guidance available from the UK Information Commissioner's Office (and remember, it's freely available!), utilised local expertise and applied lots of common sense. On that basis, we've proceeded with our plan to achieve compliance. So far, so good.
Rather than continue with this, on the assumption we're doing all the right things and that come May 25th 2018, we'll somehow switch into a magical state of compliance, we took the decision to bring in an external body, to health check our as is and also our progress against the plan. This makes perfect sense, I think.
As I've talked about in previous posts, we're pretty experienced in achieving compliance with information security (and other) standards, so we understand the levels of rigour involved, the amount of effort required and so on to gain those accreditations. With the GDPR, we're duty bound to adhere to the law, so that brings commitment into a really clear and stark relief.
So, we're doing the abovementioned stuff; updating everything, such as privacy notices and polices, subject access request processes, or ensuring we're grabbing proper consent for processing. But in addition, we're making sure we can abide by the requirements to forget an individual upon request, revoke their consent for processing if they request it and also obliterate their data from our business systems, either by request or by the natural expiry of our data retention policies.
This all sounds great, but again, we've made plenty of these decisions based on our own trains of thought or previous experience, so getting the auditors in to sense check it all seems like common sense, which of course it is.
We've carefully agreed a plan; look at what we're doing now versus what we need to be doing and provide a detailed report on the gap. Makes sense.
My view is that this is an essential piece. We think we're doing good stuff and the right things, but an unbiased organisation will confirm this or they'll contradict it. I expect they'll to some extent contradict us and that's the whole point. They'll challenge many of our assumptions, raise or calm some of our fears, but overall, provide us with a solid addition to our existing roadmap towards compliance. This is awesome.
Once the auditors have completed their mission, they’ll go away and gather their thoughts. They’ll then provide us with a report, based on the findings. We expect this prior to the end of the year.
We're quite confident that we're doing the rights things in preparation for May 25th, again, however a completely neutral view on our progress is extremely helpful, by both validating (or otherwise!) our current approach and by also highlighting things we maybe haven't thought about. It's all good and we go into the process full of positive vibes.
Checking our pulse
So, it's full steam ahead. We still have 100% engagement across the business, including our leadership team. The levels of proactive, practical work and innovation on display from colleagues is quite amazing. Our pulse is strong.
Let's see how much the 'man' agrees :)
My next update on the saga will be around mid-December.
Thanks for reading.