I am sure many employers breathed a huge sigh of relief on 25th May 2018 as they put up new privacy notices on their websites and issued final versions of updated data protection policies to their teams in order to comply with GDPR. However, for most that date was only the beginning of the journey towards GDPR compliance, rather than the end. The ramifications of the EU legislation have been felt by all businesses, regardless of their size, and are still not fully understood by many. But, it is clear that the reviews and readiness work in the run up to ‘go-live’ have unearthed many working practices that have needed a substantial overhaul for some time.
So, what has happened to your organisation’s GDPR project? Have the corks popped, the project been ticked off the list and the plans neatly filed away? Or, are you and your team planning how to deal with the mountain of new projects that have been created because of the wider impact of the regulation?
For many of our clients, we have seen a number of sub or fully-fledged projects emerge, including:
- Process work to support the implementation of new/amended polices, such as:
- IT process and procedures review, including breach simulations
- audit and compliance overhauls (particularly relating to data)
- HR related process changes
- Culture change projects, to embed behavioural changes required to every day working practices, including:
- knowledge management maturity assessments
- aligning existing standards across jurisdictions to create global standards on data protection
- linking ongoing GDPR training, business continuity and cyber security initiatives
- A range of system implementations, including the roll out of:
- HR platforms
- document management systems
- payroll and finance systems
- CRM systems
- Wider data security reviews that focus more intently on:
- data transfers
- ongoing application security reviews
- data loss prevention
So, if you now have a wide range of GDPR related projects which have recently been added to your portfolio, what should you do now?
- Spend time scoping these projects thoroughly – don’t be pushed into committing to delivery dates before the costs, timescales and resource requirements are fully understood. It is sometimes tempting to rush the discovery phase of your project, but not scoping projects thoroughly at the outset could result in your long-term project costs sky rocketing.
- Insist on holding a session to re-prioritise your projects – at this point it is critical to review the whole change portfolio with your most senior leaders. It is essential to determine which projects and programmes truly align with your strategy and which do not. Those which don’t hold up under scrutiny should most definitely be de-prioritised.
- Set expectations – the hardest conversations are often about what you are not going to deliver. But once this subject has been broached and it is approached with honesty and integrity, you can create an agreed stance that you can communicate and maintain with confidence, even when under extreme pressure. Consequently, the quality of any project discussions will usually improve dramatically. Over-promising and under-delivering unfortunately seems to be the norm in project delivery. Join us in breaking the mould.
If you feel like you can relate to any of these points and would like to talk to us confidentially about the health of your GDPR related projects, please do get in touch using the contact form below.