One GRC Manager’s Practical Approach to GDPR Readiness
With about four months to go before the GDPR becomes effective many companies are still struggling with where to start. You’re not alone. According to this survey, the majority of companies are slow off the mark. On top of that, companies require resources and budget to prepare for and comply with the GDPR.
I fully understand the challenge. It starts with the GDPR document itself. Printed, it’s like a full tree or door stopper and reading through it is like a big sleeping pill. With 261 pages of heavy legal reading it could take you a few days to digest the volume of information it contains.
At Imperva, our readiness to meet the regulatory requirements established by the GDPR is managed by our Privacy Office. As a GRC manager on that team, I was one of several individuals tasked with reading, understanding and communicating GDPR requirements to our internal stakeholders as we developed our compliance plan.
In this post, I’ll share with you how I approached GDPR readiness.
No doubt, your organization has a team established to work through GDPR requirements and prepare as needed. If you’re a member of that team and haven’t yet started down your own path, I’m hopeful you’ll find this a useful guide in helping jump start your project, with the ability to tailor it to your specific needs. My goal was to make it as practical as possible. And I provide timelines to give you a sense for how long each step took when I took it on. Here we go.
Step 1: Read the Regulation (Then Read It Again) and Identify Areas of Impact – Maximum 1 Week
Read the GDPR at least twice, the first time with the view of finding out what it’s all about and what principles and articles it contains. During the first read I also marked up if a principle or article required a potential action from us—either from a corporate standpoint (if Imperva needed to prepare internally as an organization) or from a business standpoint (how Imperva could help our customers prepare). To do this of course assumes you know your organization, its products and services. If you don’t, this will be more difficult for you and may require a full-on team read. This could be fun.
Organize Findings into Related Groups
The second read was more intense and this is where I started to drill down into a more granular level of what GDPR means to us. I thought about how to break the requirements, principles and articles into related groups, both corporate and business. When I say business that really means our services and product lines. While working with one of our GDPR professional services teams I identified a practical way to organize the groups—I put each relevant principle or article into one of four independent buckets. Each bucket was given a name and owner. The buckets are as follows:
Each relevant article or principle, as outlined in the sample below (Figure 1), was put into one of the four buckets. If I was not sure to include a reference, I did it anyway just in case it was important to the business and I needed to refer to it later.
Figure 1: Extract of relevant GDPR articles and principles
Step 2: Get Business Teams Buy-In and Collect Feedback – Approximately 4 Weeks
Armed with this spreadsheet I was ready to approach the respective business teams. I found the best way to do this was to present the ideas and concepts in a workshop. This took a number of sessions to include all parties, but it enabled me to explain the process, field their questions and reach agreement on the asks I had of each of them. Coming prepared with the bucketed list helped the respective teams feel more relaxed knowing they didn’t need to read the GDPR themselves as it had already been thoroughly reviewed and only required them to focus on a small subset of the requirements.
Team Feedback / Business Requirements Mapping
Once I explained the GDPR review and bucketed approach to the teams I then asked for their feedback. The easiest way to collect this information was in a spreadsheet, capturing the source of details of the GDPR including chapter, section, heading and reference number as shown in the graphic above. I was not able to find the GDPR text in this format so a copy and paste was the only alternative. I never copied all the text from the GDPR, only relevant text.
The process outlined as Phase I for the business required mapping the GDPR subsets (stated above) for matches relating to GRC, Product, Feature and Corporate buckets. As a takeaway, I sent each team a follow-up email and the attached spreadsheet after the meeting(s). Over the course of a few weeks the teams captured all the relevant GDPR requirements in the spreadsheets as a “Yes” in the appropriate column where an action based on the GDPR was required:
- Column G – Governance Risk and Compliance (GRC) requirements
- Column H – GDPR compliance requirements your product must have
- Column I – New GDPR features you can provide your customer beyond the “must-haves”
- Column J – Corporate/legal requirements
I added a comment column, which I completed to include a short and sweet description of the GDPR requirements without the business having to do too much reading. That said, I also included the necessary GDPR descriptions if more information was needed.
Step 3: Review Feedback with Each Team – Approximately 2 Weeks
The next step was to review the spreadsheet with each of them. This helped clarify certain information that was not clear and ensure they had understood the GDPR requirements correctly. Not all GDPR requirements were marked with a “Yes”, thus further reducing the number of active GDPR requirements. I consolidated the feedback received into a single table with some initial analytics. See Figure 2 below.
Figure 2: Table showing GDPR analytics based on the teams’ input
The table looks quite scary, but don’t worry. Not each GDPR requirement translates into an action and this was only a provisional view, not the final.
Step 4: Develop an Action Plan – Approximately 2-3 Weeks
Each group approached their action plan differently. The product and services teams created a product requirements document (PRD). The PRD outlined in great detail how the requirements aligned with changes in the product. This included “must-haves” and new features to enhance our products capabilities. The legal and corporate team created a task list of impact areas that required action or updates. For example, updates to our web and privacy policies. Each task was assigned a timeline and person responsible. Of course, the PRD is a much larger project and requires many changes and many people. The product and services teams consolidated a number of related “data management” requirements into a single PRD and provided this to the engineering team to break down into more detail.
Step 5: Track Progress and Countdown to May 2018
We are now into actions monitoring by the teams to ensure we continue to meet our May 2018 timelines. Changes continue to filter down into the product, some extremely significant, such as regionalization of data. Legal included GDPR in our ongoing vendor risk process which relates to both the agreement side and the assessment side. Marketing has made progress with regard to data privacy opt-in requirements. As of now, we’re on track with the plan.
I hope this has given you some insights into what you should be thinking about for your own GDPR readiness project. The May 2018 effective date is around the corner (May 25, 2018, to be exact!). But there’s still time to prepare – you may just need to accelerate your project timeline to ensure you’re ready.
Can we help? Learn about professional services for GDPR compliance from Imperva.