Achieving GDPR Compliance: Episode VI
As we're now just a few weeks away from May 25th, here's a fresh update on where we're at on our journey towards GDPR compliance.
In my last update, I talked about the findings of our external audit and about the fact we were about to be audited by the UK's Information Commissioner's Office (ICO). That's now happened, so I'll share some of the results of that and also update on where we're currently at.
The audit
So, on February 21st, a chap from the ICO rocked up to grill us over two days about our various approaches to information security. To be clear this wasn't a GDPR audit per se, but it did look at how we go about securing personal data.
As I mentioned in my last post, the key areas of focus were:
- Governance and risk management
- Managing third-party suppliers
- Monitoring, auditing and testing
- Business continuity
- Data breach reporting, monitoring and management
- System access
- Physical security
And so that's what the bloke concentrated on; reviewing our documentation, asking myriad questions, taking a 'look see' at our people, processes and systems, all to form a broad understanding of where our organisation currently is, when it comes to ensuring that the rights of individuals are being upheld.
It wasn't particularly gruelling, for two keys reasons:
- We're a well audited firm, so have plenty of experience
- We always put our cards on the table, i.e. provide honest answers to questions
The second reason is particularly important. No matter how good a firm thinks they are, in terms of doing the right things, there's no better reality check than someone completely independent scrutinising you and providing challenge. It's how companies improve; self-reflection, but also a willingness to be shown the way, where necessary.
Anyway, how did it go?
The findings
At the end of day two of the audit, the auditor provided some initial feedback, which was generally very positive. It wasn't definitive, nor was it necessarily accurate down to specific detail. It was general, simply based on the answers provided and his appraisal of our people, processes and systems.
But it was positive.
The follow up was a more detailed report, containing specific observations and recommendations.
And also a 'score'.
As you can see, we scored 'Yellow', which as the chart says, means there is a reasonable level of assurance that we're doing the right things around managing individuals' privacy, but that also we can and need to do some more.
This is in all honesty what we expected. We certainly didn't expect 'Green', but then I would personally be very surprised if anyone shaded that colour, because I don't expect any organisation to be fully compliant with the GDPR, come May 25th.
I would have been disappointed with anything less than 'Yellow' though, as we do some very good stuff around information security and as far as we are reasonably aware, the things we need to do are well known and on a plan.
So, 'Yellow' felt right and we were fairly pleased with that. It was effectively a confirmation of our own view and in practical terms, meant we could just continue with our improvement / compliance work.
To provide a little more detail, the key findings were:
- Physical security is in good shape
- Logical security is in good shape
- We take seriously the findings from other audits and act on them
- We can do more around our management of policies
- We can do more around governance (we are actively recruiting for a Head of Security)
- We need to be more consistent in how we manage incidents
And actually, these were / are already things we know, so again, the auditor's views were a fair reflection of our own reality.
Nearly time
OK, so we got our report from the ICO and it pretty much chimed with our own thoughts, but what's happening now, in the run up to May 25th?
Well, loads! Here's a summary:
- Our compliance / HR / regulatory people are finishing off changes to policies and processes
- Our legal people are reviewing said stuff, to ensure they say the right things
- Our learning and development people are working out comms plans and training materials for the entire business
- Our software teams are making changes to systems to ensure we meet the requirements of such things as consent, personal data management and so on
- Our senior managers are (to their credit) taking the lead in ensuring the above things are happening, rather than seeing the GDPR as yet another 'compliance project'
- GDPR remains on everyone's lips, which tells me it's being taken seriously, by a company that cares
Curiously and back to my point about enforcement, the ICO is still to this day posting tweets with advice for firms taking their "first steps towards GDPR compliance". This tells me they recognise that many, MANY orgs won't be ready come deadline day, but they're trying to engage as many as possible.
Firms doing the right things and paying attention to the legislation have nothing (or at least very little) to fear. That's my opinion.
Closing point
I saw a tweet at the back end of last year that raised the proposition that 'GDPR fatigue' was a thing. I think it's a good shout and having worked on it with my colleague for a year, I have to say I'm really feeling it.
That said, compliance isn't an aspiration or a choice. It's a statutory requirement, so the effort expended in the interests of compliance has two primary objectives:
- Acting lawfully
- Respecting the privacy of individuals
Point two is all the motivation needed.
My next and final post in the series will be after May 25th. I hope you've found it interesting and maybe even useful.
Thanks for reading. :)