A hand's on perspective of our GDPR journey to date
Hey Lynnette - 'Would you mind being on our GDPR Project Team?'
Our journey started over a year ago with a project mandate to ‘review our Data Protection practices and implement any changes required for GDPR’. Sounds simple enough, right?
Fast forward one year, countless hours spent by a project team of 10, industry events attended, policies reviewed, re-written, reviewed and re-written again, GDPR awareness training delivered to 100+ employees worldwide, and one thing has become clear - to be successful in any change programme you need the full engagement of everyone and the right tools in place.
It is important when implementing any change in an organisation, no matter the size, to get buy-in from everyone. It is not enough to produce policies and tell everyone to read them and comply, they need to be engaged in the process. They need to be able to challenge the changes so they can fully understand;
- why it is changing
- what needs to change
- how the changes will be achieved
Lucky us!
In many ways we are lucky at APMG. Why? Because we have great tools at our disposal which have made the GDPR compliance journey smoother.
Firstly, our General Data Protection Regulation (GDPR) Awareness – Making Data Privacy Matter course, a one day awareness course aimed at every level in an organisation to raise awareness and encourage everyone to take responsibility for protecting data. This was great for creating a GDPR checklist to ensure we knew exactly how to progress and who to allocate to which role.
Secondy our Cyber Portfolio which includes the Cyber Defence Capability Assessment Tool (CDCAT®) and Cyber Essentials to assess our systems and processes. These help to ensure we have the right security in place to protect the data we are processing,enabling us to identify vulnerabilities and mitigate cyber security risks on an ongoing basis.
It is not enough to say we hold data securely. We need to be able to demonstrate that we;
- have considered the sensitivity of the data we are processing,
- understand how we process it
- know why we are processing it
- have the appropriate security measures in place to protect that data appropriately.
People trust us with their data - we need to take care of it
Individuals have chosen to work with our organisation and in doing so have entrusted us to protect their data. That is something we take seriously - aiming to ensure it is adopted not only to achieve legal compliance, but through fostering a thoughtful and cultural adoption by each and every member of APMG staff.
Our GDPR journey has been long, and at times bumpy, but one thing about GDPR, unlike the Data Protection Act (which was something that people acknowledged but never discussed), is that everyone is talking about it. People are engaged at all levels, questioning processes: Why are we doing it that way? Do we need to do it that way? Are we doing it like that because that's just the way we've always done it? It's been a positive experience with everyone involved, suggesting new ideas, streamlining processes, coming up with new ways of working. So, love it or hate it, GDPR has people talking, sharing ideas and suggestions and when it comes to continual business improvement - that can only be a good thing.
We are well into our GDPR project journey but are only just starting our GDPR Business As Usual (BAU) journey. Wishing you all success with yours!
CDCAT® is a registered trade mark of The Secretary of State for Defence, Dstl
