GDPR – The Time for Business Process Redesign

01 April 2018

It has been said that implementation of the GDPR means a business process redesign. What this means on a practical level – given the scarcity of existing privacy experts in contrast to the number of organisations within the UK alone who need to implement such a plan – is not restricted to one identifiable expertise.

Privacy commentators will often cite lawyers as being incapable of executing standards capable of adhering to GDPR requirements. Whilst this is likely true in isolation (and one would expect anyone, lawyer of otherwise to be experienced in compliance), they should not be so easily dismissed. After all, it was lawyers who drafted the Regulation and it will be lawyers who interpret the Regulation.

Information Technology or Security institutes are often used as a starting point ahead of any privacy by design project. It is true that, in a world dominated by everything IT, IoT and so on, that there is bound to be a massive overarching of what the InfoSec experts can bring. After all, a key part of privacy centres around ISMS, or Information Security Management Systems. But again, like lawyers, they only form part of the process.

Personal Information Management Systems (or PIMS) are necessary to develop the framework. Whether this is a lawyer, an IT expert or someone who has experience within compliance and risk management is what I would consider to be the third part of the process.

So what about the fourth? Well, major change management can only be given effect from within. From the decision makers at the top, to those who manage a business on a day to day basis, to key stakeholders and then to those within the supply chain.

This calls for a culture change of the business.

Change needs to be compliant but pragmatic and involve Legal, IT and all business processes that involve personal data. Change should not stop the business or cause it hardship. It needs, nonetheless, to be capable of adapting. And this, ultimately, come from the very top. Data Protection by Design is, for want of a better suggestion, comparable with the DNA of the organisation. This, in real terms, means fundamental, but pragmatic, changes are required. No one entity, be it lawyer, IT expert or compliance and risk professional can necessarily coordinate this alone.

Of course, focussing on process alone will only get you so far. Underpinning everything already mentioned are the employees of a business, and so it is critical that time and effort is invested in communication, training and delivery. It is about a culture change. It should become second-nature and form part of their job roles. That way, laying the groundwork by designing processes and technical systems will be facilitated by a proactive, rather than functional workforce who will be able to deal with urgent duties that may arise under GDPR such Data Subject Access Requests and breach responses.

Furthermore, there needs to be a proper data definition and mapping exercise. One organisation may well host a myriad of differently defined data subject, so whereas your marketing department will be interested in the consumer, finance looks for the Customer, while your supply chain deals with retailers and wholesalers. These functions of the data subjects are then iterated multiple times and stored in multiple different locations.

Ultimately, business process, whether designed or redesigned, needs to ensure, not only compliance with GDPR (insofar as is possible) but also appeal to convince the consumer, while not neglecting the organisation overall. Change management will only be successful where there is an understanding and investment in design thinking.