For businesses and non-profits, the GDPR (General Data Protection Regulation) is a classic threat/opportunity. Do you want to spend serious money on it?
Wait until the last minute of course. Then start by calling in a lawyer or GDPR specialist to look in detail at your business and tell you what’s needed. Now you have a To Do list as long as your arm, probably not much idea how to make the changes, and a large bill. To spend even more? Take a back seat and let your consultant manage the project.
You could delegate everything to a junior manager. That won’t be as expensive: you just won’t get much done. It’s a clear message that your senior people are “too busy doing REAL work” — and this is likely to be the message your GDPR appointee receives as they try to start a discussion with those people.
What about the tech lead? That will only work if he or she is strong on the business side. Someone with a purely technical focus is likely to be distracted, and may not “feel” the problem deeply enough to drive the changes through.
The Other Approach
You can move towards GDPR compliance at lower cost, and perhaps gain a market advantage too. First, you need to understand that this isn’t like an unproductive regulatory change or a tax increase, where the authorities are in effect your opponent. In those cases, it does make good sense to speak to the experts first. This time, much of what the regulations demand is just good practice — we should have been doing it for years. Now we’re legally required to. GDPR is likely to increase awareness of data protection, and you gain a market advantage if you comply and your rivals don’t.
Your first step is to understand it. If you appoint someone in your organisation to manage the GDPR project, it needs to be somebody with real authority. The ICO (Information Commissioner’s Office) is the regulator. Their website is written in plain English, so start there. A lot of what you’ll find elsewhere is out of date or inaccurate.
Then Get Started
One of the first jobs is an audit to discover where you store personal data. You also need to analyse how you acquire it and who processes it.
If you start by doing, you show your team that GDPR is serious, and you gain knowledge that will be useful when you finally have a meeting with the specialists to cover any areas you’re not sure about. That knowledge will continue to be useful once you’ve reached GDPR nirvana and have to maintain compliance.
Keeping the organisation compliant is all the more important if you employ developers. When they’re flat out trying to get the main job done, making sure the design stays within regulations is not intrinsically appealing. Unless you’re planning to keep a room aside for the consultant, someone from management needs to show that it matters.