Preparing for the GDPR: Step 1) Identify the gaps

We are starting to see organisations taking stock of how they currently comply with local Data Protection laws. That is certainly a commendable first step – if you don’t comply with the currently enforceable Data Protection laws, you may have some way to go with the new, updated laws emanating from the GDPR.

Current Data Protection laws

Looking at the UK’s Data Protection Act from 1998, there is some overlap with the GDPR. Understanding your current obligations will help your organisation become compliant with current laws and draw a baseline from there. This process will also help accelerate your organisation towards the first step of preparing for the GDPR: understanding where the gaps are.

Identifying the gaps with a workshop

Simply put, this step requires collaboration across the organisation, otherwise you won’t be able to locate the disconnects of processes and procedures.

As a first activity, determine the departments through which personal data flows, and round up the heads of those departments.

  • Data Protection Officer (if one is appointed)
  • Information Technology
  • Internal Audit (if in-house)
  • Human Resources
  • Marketing & Sales
  • Procurement / Sourcing
  • Product Management / Development
  • Finance
  • Chief Executives

You may have concerns about requesting a large time commitment from the attendees, but this need not be the case. If the workshop is broken down in to key topics, you can assign required attendees according to the topic area, allowing you to plan for an effective and well-organised event.

Ideally, the discussions should be led by a Data Privacy and Protection professional, who will ask a series of questions which can sometimes come across as probing. This is essential to obtain a true account of practices across all departmental areas.

Expected outcomes of a GDPR Audit Assessment Workshop

The outcomes are the “secret sauce” carefully prepared by the Data Privacy chefs. During workshops, there tends to be some information disclosed, but that’s good – that’s when unknown risks become known risks which can be addressed & responded to.

Outcomes from workshops typically reveal:

  1. Culture: No consistent understanding across departments
  2. Processes: Revise or design new processes to meet new obligations
  3. Controls: Weak or lacking controls in place
  4. Systems: Some systems are inadequate or missing to support processes and controls

About Winterhawk

Winterhawk offers a variety of Data Protection, Privacy and GDPR services. For more information, visit our GDPR Services page.

If you liked this blog and would like to be notified of new articles and updates, follow us on LinkedIn or Twitter.