Podcast: Play in new window | Download
Episode 002: GDPR Compliance: What Does that Mean?
Full Episode Transcript
Hey there, and welcome. I’m Rocio Baeza. I’m the founder of GDPR Stand Up, and I’d like to welcome you to today’s session.
The topic for today’s session is GDPR Compliance: What does that mean? So if you’re listening, you’re probably responsible for putting together a GDPR compliance plan or program for your organization and you need some help along the way. So I’m hoping that this session will help just bring some clarity with that so that you can focus your efforts on the right things and don’t worry about the rest.
So GDPR compliance, I would say that … There’s a checklist. There’s a 4-step process that I would recommend if you’re looking to understand what does GDPR compliance mean for my organization. I’m going to walk you through those four steps.
So step number one is to identify what requirements apply to your organization. GDPR is very broad and extensive, and not all requirements apply to all organizations. Some organizations will have to address all the requirements, but there will be some organizations that just have to worry about a portion of those requirements. So step number one should really be determining, “Hey, which of the requirements actually apply to me?”
Now, you can always take the approach of doing everything. If that’s what your goal is, then you definitely can do that. But if your strapped for resources to focus on the minimum that you have to focus on, whether it be a starting point or maybe that’s just the reality that you face because of the resources that you have, then you should start with that first step: identifying which of the requirements actually applies to my organization.
Step number two is you want to assess the gaps. So this is GDPR, and a smaller subset of that is a point applied to your organization. So your second step is determining, “All right, for the requirements that apply to my organization, where do I have gaps?”
Step number three is going to be remediating the gaps. So you may already be doing some things that are required by GDPR, and there may be new things that you have to incorporate. So once you’ve identified what those gaps are, you want to remediate that. You want to fill those gaps.
And step number four is maintenance. Basically continuing to do the things that you need to do to remain in compliance. I think it’s important to clarify that GDPR is going to require on a number of one-time activities and a number of recurring activities. So one-time activities, these are things that you only do once. And recurring activities are things that you do continuously in order to maintain that GDPR compliance.
And the same way that a business runs on people, technology and processes, a correct GDPR implementation will impact these three areas. It’s not just going to impact the technology. It’s not just going to impact processes. It’s not just going to impact people. It’s going to impact all three areas.
I think it’s important to address this because I’ve seen … over the last year I’ve seen lots and lots of misinformation … incorrect information out there, usually in marketing pitches and sales pitches, where just incorrect information is being thrown out there and that really upsets me. That upsets me that many organizations need help with GDPR compliance, and I think that there are organizations that are taking advantage of the attention that GDPR is bringing to the space. But it upsets me that incorrect information is being put out there.
So some of the misconceptions that I’ve heard are things like, “Hey, if you just put together a new privacy policy, a GDPR compliant policy, you’re done.” No. That’s not true. That may be something that you may need to do, but that’s not the end. There’s more.
I’ve also heard that if you put together a policy that that’s enough, that you can just go on the website, download a number of policies, and swap the company name with your company’s name, and that makes you GDPR compliant. No. That’s not the extent of GDPR. If you do that one measure, I mean, no, this will be required for many organizations but don’t think if you just take that one step that you’re done.
Another misconception that I’ve heard is you can just worry about delivering a GDPR trading module to your employees and you’re done. No. Yes, I’ve seen many of these modules. They’re not specific to just GDPR. I’ve seen this for PCI. I’ve seen this for GLBA, for the Data Protection Act, and for HIPAA.
Yes, there’s a marketplace out there, and yes it’s oftentimes just very generic information. But no, just delivering a training module about GDPR, no, that is not going to cut it. You’ll need to do more.
Another misconception that I’ve heard is that a GDPR audit is enough. That if you invest in doing an audit, that you’re basically done. You don’t have to do anything else in the future. That’s probably not a complete thing.
I’ve also heard that a GDPR certification is enough. Again, that’s not enough. So it’s important to point out that … as far as I’m aware, based on the research that I’ve done, there isn’t a GDPR certification that regulators have blessed. I have seen lots of GDPR training programs and certifications that claim to make people GDPR certified. You should know that these are private training and educational resources that are being put out there by organizations. These are not endorsed by any regulating body. Don’t think that if you get a GDPR certification for yourself as a professional or for your organization in the form of a seal, that that’s somehow valid in the eyes of the regulators.
There are a number of very helpful resources out there to help you on the path of becoming GDPR compliant, but just know that there isn’t an approved certification that the regulators are recommending that you go out there and purchase.
And to wrap up with these misconceptions, another misconception that I’ve heard is that purchasing a tool or environment is enough. That if somehow you purchase a GDPR-compliant tool, a GDPR-compliant Cloud, a GDPR-compliant instance, that you are good. The same way that a business runs on those three things that I mention, people, technology and processes, a correct GDPR implementation plan will affect those three areas, not just one.
All right. So we talked about that process so that you can better understand what GDPR compliance means for your organization. And again, those steps are one, identify the requirements that apply to you; two, assess the gaps; three, remediate the gaps; and four, maintain that.
So for the activities that you have to do on an ongoing basis, make sure that you repeat those. If you’re looking for a helpful resource, I have a pretty good visual. You can download our 10 GDPR components, and this is basically … think of it as GDPR divided up into 10 chunks. Some organizations will have to address all the GDPR requirements, and some organizations will not. And if you’re looking for just some way of visually seeing the possibilities, I would point you to the 10 GDPR components, which you can download on our website at gdprstandup.com.
All right. So as we wrap up here, just keep in mind that GDPR is looking to protect personal data about people. It targets personal data of EU citizens and EU residents. The idea is for a GDPR compliance program to provide more transparency to individuals about personal data that organizations are collecting about them, and how that’s being used. And providing individuals with choice as to how their personal information can be used by organizations.
The same way that a business runs on people, technology and processes, a correct GDPR implementation plan will have a trickle-down effect in those three areas.
So I hope this session was useful to you. Thanks for checking us out, and again if you’re looking to download a copy of the 10 GDPR components, you can download that on our website, at gdprstandup.com. And if you are responsible for GDPR compliance in your organization and you need some help along the way, check out our virtual group. So we have a virtual community where we’re providing professionals with a step-by-step process on how to navigate that.
The idea is that … not to provide you with just long jargon information; it’s to provide you with very practical step-by-step instructions. Don’t feel like you have to get a certification in order for you to do this stuff. You can do this with the tools and the knowledge that you already have. You may need to reach out to other folks in your team to complete this, but I would say and I would argue that as someone that has done these types of programs in the past, this is something that you can very much do on your own.
Thanks again just for listening, and see you in a future session. Goodbye.
LINKS AND RESOURCES MENTIONED IN THIS EPISODE:
- GDPR Stand Up Website: gdprstandup.com
- The 10 GDPR Components
- The GDPR Implementation Blueprint
- Join the GDPR Stand Up Virtual Community
- Free GDPR Data Inventory Course: http://gdprstandup.com/free-course/