We've spent the last eight or so months planning and preparing for the GDPR. We've found it confusing at times and it has cost us quite a bit in terms of time and money.
Whilst at first it seemed a pain in the backside, we soon realised the benefits. Primarily, who wants to deal with a business that doesn't take your personal data seriously.
Our first goal was to try and understand, as best we can with the limited knowledge out there at the moment, what the GDPR meant for us and what we had to do to become compliant. The second goal was to see how and where we could help our customers.
So we all started by reading the GDPR final paper and the ICO Bill (and made notes) and we all got a headache! We read the ICO website but it didn't contain much useful information and was very complicated. However, the ICO website is getting much better day by day since the turn of the year. The website is now easier to navigate and the content has improved. They've also updated their checklists and assessments and more recently have added some toolkits too.
With limited resources and lots of misleading information we decided to take the following steps:-
- Attended the GDPR.Summit in London
- Achieved Cyber Essentials Accreditation
- Stuart and Rachel passed the GDPR.Summit certification
- Attended several GDPR seminars and online webinars
- Purchased books from IT Governance and others - we found these quite useful
- Trawled the web covering over 100 websites reading and comparing articles and resources
- Tested software and templates
- Reviewed and tested software to track GDPR Compliance as well as ISO 27001 compliance
- Attended another seminar hosted by a law firm in Milton Keynes (EMW) in April 2018 - this was extremely helpful
- Passed exams for Draytek Certification - which helps with our firewall protection and security
With plenty of knowledge behind us we needed to start the process of reviewing our systems, updating policies and procedures, training staff, checking supplier status and making any necessary changes to our systems. We had several options at this stage:-
- Purchase a dedicated software program
We have partnered with a provider that can help achieve GDPR compliance and ISO 27001 compliance. Through Cambridge Helpdesk you can get a discount on their software. the biggest benefit is that right from the off it completes 77% of the steps for you. for large companies or companies looking at ISO 27001 (and other ISO levels) it's pretty much a no brainer.
- Purchase some Excel templates
There are templates available now but we found them quite complicated. The best ones we found cost £500 but this was a one off. If you would like to know where to get these please give us a call.
- Use our existing documentation system
We have an excellent documentation system at Cambridge Helpdesk so it made sense for us to use this. We can check when staff have read articles and completed any tests, we can also easily update sections and keep track of changes and all the data is secured by password and MFA (Multi Factor Authentication)
Having decided to track our GDPR compliance in our documentation system we created a 10 point checklist. there are lots of checklists out there, some are 7 steps, some are 10, some are 12. Basically it just depends on how you categorise certain sections of the GDPR against your own internal systems. Here's our '10 Step checklist':-
|0||Start Here/Prep work|
|1||Appoint a DPO|
|8||Privacy Impact Assessment (PIA)|