• Print
  • Decrease text size
  • Reset text size
  • Larger text size
05/16/2018

Key takeaways of our approach to reach GDPR compliancy for a Dutch bank

May 16, 2018 | Amsterdam. Creating a ‘GDPR proof’ organization within a couple of months for a Dutch Bank. A brief description of the approach by Sia Partners.

Key takeaways of our approach to reach GDPR compliancy for a Dutch bank

Almost every organization that is based in the European Union (EU), as well as every organization that does business in the EU is impacted by the new privacy regulation GDPR. Simultaneously, organizations find it very difficult to align their business operations to ensure compliance. The core of processing personal data is affected in every way. The attention of C-level executives is drawn due to fines up to four percent of the organization worldwide turnover (capped at €20 million) for non-compliance.

The general data protection regulation (hereafter, GDPR) replaces Directive 95/46/EC as GDPR comes into effect by the 25th of May 2018. This date marks a significant step in the harmonization of data privacy laws across Europe. The concept of data privacy is enforced and extended to protect and empower all EU citizens. In addition, the GDPR imposes more responsibilities to organizations across the region.

The GDPR regulation received a lot of attention in the recent media. Many organizations became aware of this regulation and concluded that there is still work to do. Now just two weeks before the deadline hopefully many organizations meet the minimum requirements. For those who have not, do not expect to reach this at such a short notice. But know that a lot can be reached within a couple of months. Hereby an example of a small Dutch bank. 

It is Monday the 5th of February, during lunch, when a clients’ request reaches our team. The request is straight-forward, simple and concise:

‘The 25th of May is approaching and non-compliance is not an option. Make sure that we are compliant’

What are the stepping stones?

Implementing GDPR is much like crossing a rapid stream with only some stepping stones to make your way across. Every organization needs to find their own way, each at a different part of the stream.

Familiarize with the business of the client, start with identifying which part of the stream to take. Connecting with the right, experienced and knowledgeable people at clients’ side supports a solid start. Identify the clients’ existing processes, roles and responsibilities. Involve the key stakeholders from an early stage and jointly perform a quick scan analysis to define the existing situation.

The conclusion was quite simple, based on the nature of the clients’ business the GDPR affects the organization down to its core. The GDPR requires the establishment of processes and procedures that enable personal data protection by design and default. In addition, by the 25th of May every individual (hereafter, data subject) is empowered to enforce their data subject rights. This has impact on every part of the organization.

The first step is critical

We took a moment to step back, assessed the situation, identified key stakeholders, established a reporting framework, identified key deliverables/milestones and familiarized the client with the impact of GDPR.

On a daily basis, we discussed the necessity and rationale behind the requirements derived from the GDPR. In less than three weeks, the level of awareness grew exponentially and the organization as a whole shifted into a mode in which complying with GDPR was the common goal. By that time, we defined the minimum viable product (hereafter, MVP) and subsequently mapped out the necessary actions per department. The MVP further defined the organizational impact of GDPR and assisted in identifying the high-risk topics. 

We were now present in the midst of an organization that knew the organizational obligations from GDPR and was committed to do what it takes to comply. The GDPR terminology of data subject rights, GDPR principles and data protection by design and default were fully understood.

Keep the rhythm going

Due to the level of awareness, people from across the organization proactively started to discuss the impact of GDPR. Some of these people could be referred to as key sponsors and were very supportive towards the project team. This level of support enabled us to find sustainable and appropriate solutions with having small grouped and interactive 4-hour workshops per MVP topic. At this point we were jointly working with key stakeholders on designing and modifying different processes. We found a modus operandi that enabled us to design, modify and implement two new processes every week.

These new processes ensured that the way of responding to every inbound data subject request was consistent, accurate and within the timeframes of the GDPR. Due to the approaching deadline we focused on delivering the MVP. In other words, some of the designed processes required manual actions. The number of these manual executions were limited to ensure a consistent way of responding to data subjects. Data protection by design and default were implemented by modifying existing processes. The GDPR does not require organizations to boil the ocean.

The documentation of the ‘GDPR proof’ way of working was key and functioned as the basis for the GDPR policy. The existing business operating procedures and documents were in place yet fragmented. We perceived the implementation of the GDPR as an opportunity to consolidate, revise and update the existing documentation.

Do not jump to the end

The processes and procedures that enabled the data subjects to enforce their rights were in place. Every department participated in specific GDPR trainings to ensure and embed the principles of data protection by design and default. These trainings were very well received within the organization.

During the project we were constantly on track and sometimes even ahead of the initial planning. Yet based on experience, we knew that at the end of every project, unforeseen issues may come to surface. We transparently communicated on progress and involved stakeholders to actively spot impediments. Staying in close contact with our key stakeholders ensured us we were on the right track whilst having the end in sight.

The requirements derived from the MVP are delivered yet a MVP itself indicates that there is still some work left to do. Implementing the necessary technical and organizational measures requires further attention in a second phase. This second phase will primarily focus on IT related requirements to ensure a digital security with regards to data protection. In addition, the GDPR policies will be further defined and established within the organization.

Being compliant before the 25th of May was the goal. As of now, the organization is able to respond within a timely manner to data subject requests. More specifically the privacy of their data subjects is now ‘GDPR proof’ and protected by design and default.

 

Sources:

https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-nieuwe-europese-privacywetgeving/rechten-van-betrokkenen

https://www.eugdpr.org/

 

0 comment
Post a comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Image CAPTCHA
Enter the characters shown in the image.
Back to Top