Climbing the 12 ICO steps to GDPR
Step 1 – Awareness
The ICO, UK’s data protection supervisory authority has been busy providing guidance to UK organisations on how to comply with the impending GDPR. One of the most cited guidance is the Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now. This 11 page high level guidance is intended to provide an executive summary to help organisations kick off their GDPR compliance journey. IT is in my opinion a very good summary of the areas organisations should focus to grapple the expansive and somewhat daunting GDPR. The guidance can be considered bare-bone and therefore needs further guidance that would be useful to the less prepared or less resourced organisations. With this aim, I intend to go into greater detail and put some flesh around the bare-bones of the 12 steps.
This is the first in a series of 12 articles deep diving into each of the ICO 12 Steps.
The 12 steps recommended by the ICO are:
- Information you hold
- Communicating privacy information
- Individuals’ rights
- Subject access requests
- Legal basis for processing personal data
- Data breaches
- Data Protection by Design and Data Protection Impact Assessments
- Data Protection
Awareness – Taking the first step
I will try and not to repeat what the ICO has already stated in the guidance but try and expand those good guidance with examples with a view to helping readers implement them.
When the CIO guidance was drafted at the beginning of 2016, organisations had 2 years to prepare themselves and the guidance also envisaged that the organisations would have certain level of maturity from compliance with the existing DPA 1998, however this is not the case in reality. Many organisations will be starting from scratch. One example of this will be all the processors, who were exempt under the existing directive but now will be in scope.
Who needs to be aware?
So what does this ICO Awareness mean in reality and in the context of the GDPR? At this stage this is not the same as training and awareness e.g. in the same sense as cyber security training and awareness. This awareness is about making the top level people responsible for resourcing, financing and those ultimately accountable under the GDPR for compliance aware of:
- The GDPR, what it is and why it is important
- GPRs requirements
- The likely impact on the organisation is found to be non-compliant.
They need to be made aware and made aware right now that they will be accountable for GDPR. Being made aware of the consequences such as hefty fines and the additional reputation damage will certainly help to concentrate their minds however, rather than scaremongering a subtle risk and reward approach may be more productive.
How to make them aware?
So at what level does this need to pitched at and how?
Well, there is no silver bullet as each organisation will have their own methodology, size, makeup of the top level leadership and culture. Private sector companies are different to public sector entities and their organisational structure and reporting line may also be different. For example, whereas private sector organisations have executive boards, public sectors do not always have the same. They may have senior risk owners and high ranking civil servants called permanent secretaries who are accountable for each department instead. Whatever the structure, GDPR needs support and funding from the accountable officer level. Both for accountability as required by the GDPR and also to give it the impetus, leadership and sense of urgency for those organisations that are lagging behind the executive board needs to be behind this 100
Choosing the correct language
As people the level where this needs to be considered talk the language of operational risk, GDPR should be framed and articulated as such rather than a cyber security or a privacy issue. For this it may be best coming from the organisation’s legal counsel or the risk officer if one exists or someone with sufficient gravitas and trust. Most boards meet on a regularly basis but not frequently and have their agendas mapped out weeks if not months in advance, and it is therefore essential that GDPR is included in the board agenda as, soon as possible.
One good way of getting the board’s attention would be to include GDPR as a new risk in the operational risk register as a high or critical regulatory risk. The higher the risk the more likely it will be noticed and discussed. It should be sufficiently high enough to appear in the heat-map or dashboard to get their attention. Senior people have busy schedule and often only review top 5 or top 10 risks and therefore you want to ensure GDPR is one of them. Be prepared to answer questions that will follow from the risk raised and be prepared to make executive presentation of draft executive briefing papers on GDPR.
So what are the question the board is likely to ask? For starters it could be something like:
- Why do we need to comply?
- What is the risk if we do not comply?
- The differences between DPA and GDPR
- What about Brexit?
- How do we start?
- Where do we start?
- How long do we have?
- How much is it going to cost?
- How long will it take?
- Who is responsible for it?
Sky is falling but not yet fallen
The risk of GDPR non-compliance should be tempered with the many benefits and opportunities that can be achieved from such a project. The upside risk, as it is sometimes refereed to. Some of these opportunities I have touched on previously in my blog GDPR – Opportunity for CIOs and CISOs. These benefits are ultimately benefits for the whole organisation not just CISOs and CIOs.
When the ICO guidance was drafted at the beginning of 2016, organisations had two years to prepare themselves and the guidance also envisaged that the organisations would have certain level of maturity from compliance with the existing DPA 1998, however this is not the case in reality. Many organisations will be starting from scratch. One example of this will be all the processors, who were exempt under the existing directive but now will be in scope.
Although, the objective this awareness is making the accounting officers aware of GDPR, the secondary benefit of this will be the raising of awareness through out the wider organisation as the news of GDPR initiatives trickle down. After all, GDPR will impact the whole organisation and requires awareness and effort from everyone for it to be successful in the initial programme phase and going forward.
Watch out for the Information you hold article next in the series of 12 articles in our series “Climbing the 12 ICO steps to GDPR”
Author : Moyn Uddin GDPR-P, CISSP, CISA, CISM, CRISC, ISO27001 LA, TOGAF – is a certified GDPR and Cybersecurity pracitioner. He as a security practitioner has written, tested, embedded many incident management plans and process and dealt with many incidents and data breaches. He is also the co-author of RESILIA – Cyber Resilience Best Practices from AXLEOS, published in 2014 and the author of the accompanying Pocketbook. He is also the lead author of the Cyber Resilience Best Practices training course for ITpreneuers
If you need any assistance with any aspects of GDPR implementation or cyber security please contact us.
If you are interested in our One day GDPR How-to Master Classes please register here at Cyber Counsel.
Copyright Cyber Counselcybercounsel.co.uk/gdpr-masterclass