I have recently been asked about my approach to the GDPR compliance process. It might have looked like an innocent question but it clearly isn’t. My first reaction was to answer asking «Do you have a couple of hours?» but, as far as I know, answering a question with another question can be considered, in some cultures, impolite. So I somehow managed to stay calm, breathe deeply and start from the beginning.
The very first step in a GDPR compliance process is to obtain a complete endorsement from the Boss. Easy to say, hard to achieve, I know. But, if the Cs guys/girls (par condicio) are not by your side, no matter how good and/or experienced you are, you better leave the process, shake hands and say goodbye. You won’t earn any money, but at least your professional integrity will stay inmaculate.
«How do I know if I have the support from the Boss?«. Well, try this trick: ask him/her to write down what he/she wants you to do, using just one sentence. He/she probably will write: «I want my company fully compliant with the GDPR«. Then, take this paper and store it jealously in your safe-deposit box. Don’t have one? Buy it, it will worth every pound/euro. When things will turn bad (they probably will), you’ll rely on this paper and it will save your (professional) life.
The Big Picture
Now that you have been empowered, you need to have an integral view of the scenario where you’re going to roll out the GDPR compliance process. This is also known as «The Big Picture«.
When we’talking about an integral view, everything counts: previous privacy policies (if any), data mapping, a basic scheme of the area processing personal data, any hardware and software inventory…
Tip: compile any laws applicable to the sector of the company you’re working for: you’ll never know where you can find a legal basis that can substitute the consent from the data subjects.
Once you have all the information, put it on a big dashboard. At least in my case, I need a visual support to understand the situation. Probably, millenials will use an app, but I’m old school and still use a dashboard.