This blog has been written by Boyko Boev, a Senior Data Protection Consultant at Data Protection People.
The General Data Protection Regulation (GDPR) came into force on 25 May 2018 as a result of which the date became known across Europe and probably the world as the GDPR day.
The GDPR day started as an ordinary day for me, at the London office of the housing association Hanover, for whom I am an outsourced data protection officer (DPO). Despite the recent flow of emails about new privacy policies of companies who had in mind the GDPR’s coming into force, I did not consider 25 May as a finishing line because I knew that according to the latest major international survey by McDermott-Ponemon which included companies across the U.S. and Europe, only 52 percent of the respondents expected to be compliant on the 25 May deadline.
Surprisingly, Hanover’s staff were more excited about the GDPR day than me. The London office of the housing association, which had started its GDPR compliance project in April 2017, turned out to be the best place to be in on 25 May 2018. I discovered that the company’s chat platform was full of GDPR jokes. Even the birthday card for a manager included a funny GDPR slogan. Like the pillow cover with a GDPR print on it, which I saw on Amazon, the GDPR birthday card melted my DPO’s heart. The excitement of Hanover’s staff during the day, which shows the organisation’s enthusiasm and commitment to data protection, changed my perception of the GDPR day.
On 25 May Hanover’s GDPR project manager Caroline Coard shared her GDPR readiness report with the staff working group, her email’s background showing celebration fireworks. Caroline wrote: “We believe that with limited exceptions (noted in outstanding items) we have achieved requirements to demonstrate compliance to Data Protection Act 2018” and observed: “This does not indicate end of the project which has agreed criteria not yet achieved but is a significant milestone.”
When I became Hanover’s DPO two months ago I was impressed with the company’s commitment to achieve GDPR compliance. Based on PRINCE 2 methodology their GDPR project had a solid business case, plan and project organisation including a full-time GDPR project manager, a project sponsor and a project team with representatives from all business units. In addition, the company has been receiving subject matter advice from a consultant from Data Protection People and later from me as an outsourced DPO.
Over the past year the GDPR project team worked hard toward meeting the GDPR requirements. During the monthly meetings, the business units were held accountable for the implementation of the project tasks. The executive team received regular update reports from the project manager and provided support to the GDPR project team. A data protection page on the company’s intranet informs the staff of all new policies and procedures. Hanover has also a bespoke approach to data protection training including e-learning module based on the housing sector needs and outreach training for their estate managers.
I think that Hanover have the right mindset towards data protection. Recalling that Elizabeth Denham, the UK’s Information Commissioner, underlined the importance of a company’s mindset for GDPR compliance, Hanover’s experience can be useful to other organisations especially from the housing sector who are at earlier stages of their GDPR journey. That is why a couple of days after the GDPR day I interviewed Hanover’s GDPR project manager Caroline Coard and the Data Governance Manager Stephanie Vasey about their work on the GDPR project.
Caroline and Stephanie told me that the priority of Hanover’s GDPR project team was to get support from the Leadership team. Next, they informed the staff of the new risks for the organisation and sought their engagement in the GDPR project. Finally, it was important to ensure that the GDPR project team understands the GDPR requirements.
According to Caroline and Stephanie, the biggest challenges during the GDPR project were the volume and breadth of work and the specific nature of the project which required data protection expertise to ensure compliance with the various new requirements concerning a range of topics such as privacy notices, data sharing, processor contracts, breach notifications and data subject rights.
Caroline and Stephanie consider that the GDPR project increased the staff’s awareness of data protection and their knowledge of personal data processing within and outside the organisation. They credit the GDPR project group’s engagement and the executive level’s support for the GDPR compliance results. The recruitment of a full-time project manager and a consultant from Data Protection People as a subject matter expert was also crucial.
Data Protection People, who provides Hanover with a GDPR consultant and an outsourced Data Protection Officer, is commended, in particular, for the easy access to their expertise which was instrumental in ensuring the quality of Hanover’s new policies and procedures and in the prioritisation of the GDPR project activities.
Hanover understand that 25 May was not a finishing line. However their achievements so far give them impetus to build a strong data protection programme which will operate after the GDPR project transition into business as usual.