Achieving GDPR compliance: Episode II
It's like Star Wars, only because there will be a similar number of instalments, and I'm borrowing the use of Roman numerals. Other than that, no Jawas, no Jedis and Han Solo still shot first and is still dead :)
So, where are we at?
In my last post on the subject, Paula and I had completed a round of data processing reviews and sent some of the business away to make some changes to such things as our privacy policy, or our subject access request process and so on. We also spent some time with our HR Director and Head of Learning and Development. This was game changing.
The meetings with those guys were ostensibly to walk through our 'raising awareness' plans. Well into the meeting, it became clear that there was a gap between the people Paula and I were giving work to and their C level managers. In other words, we lacked a director level mandate, to ensure that work was continuing at pace and crucially that there was senior management oversight.
A takeaway from that meeting was that Paula and I needed to prepare a presentation for (our most) senior managers, to refresh them on the subject of the GDPR and then also to seek their support in actually getting the work done to ensure we comply.
This seemed really sensible. We thought we already had the required support, but to be honest, it was implicit, rather than explicit.
So, Paula went about preparing a presentation, that was batted back and forth, between myself and our head of L&D, until such time as we were happy with it. Then, I proposed the idea that rather than us deliver it as members of the compliance 'workforce', we ask a fellow director to do it instead, as a respected peer in the boardroom. This felt like a good idea, in order to get our messages across. We'd both be there to assist, of course; answering questions and whatnot, but the package would carry far more credence and gravity, if it was delivered by a very well regarded member of the organisation's leadership team.
This is exactly what happened.
The board meeting
I've been in and around meetings or discussions with senior members of companies since being a teenager, so I'm not at all daunted by the experience. I talk about this in earlier posts. That said, Paula and I were asked to appear in front of our leadership team at around 10:30 on a drab Monday AM and they were running over, with other business.
We got called in and then asked to wait outside. The meeting itself had already gone past it's allocated timeslot and I was becoming a little agitated. Nothing at all to do with the gravitas, or the people in the room we were hanging about outside of, but specifically whether we'd get the time we needed to deliver the package. I needn't have worried.
We were eventually invited in. It's worth mentioning that I've worked for my firm for almost six years and know quite well and am on good terms with each of our directors, as well as our CEO. Keeping that in mind sort of helps calm any nerves when you have to have a conversation with them all in the same room, at the same time.
Anyway, our FD was leading the piece and he took the Board through our prepared presentation; remember a combination of recap and what we need from them. I answered a few questions around the GDPR, clarified a few points and Paula did the same, but between us all, we delivered our message in a quite complete fashion.
And we got a quite complete outcome.
- Does the Board get the GDPR and its implications for our company? - Yes
- We need a Data Protection Officer, who's it gonna be? - The CEO took that role
- We need a mandate to execute and deliver our compliance plan - All agreed
- We need the leadership team to cascade the messages around the GDPR throughout their various teams - All agreed
- We need the leadership team to own the delivery of compliance in their areas - All agreed
Result. A high five (which actually happened).
What next?
So, we've got board room subject matter understanding, we've got a mandate and we've got our leaders all bought in. That's a pretty decent foundation by which to crack on.
We've already done the research piece; looking at our data, how we process it, where we store it, the stuff I talked about in Episode I and so on, but now we've got the green light to make all the necessary improvements to our business in order to achieve compliance, with the high order people making sure it happens.
That's pretty good and it makes me feel more confident that come May 2018, we'll be in a decent spot.
Don't forget, I hold a dim view on snake oil sellers, who will deliver your GDPR complaince at a cost. So, go to the ICO (in the UK) and read up on both your obligations and also learn about how you can do so much of it yourself. Please!
More on this as we progress.
As always. thanks for your time.