Darren Craig from Northdoor on GDPR Compliance
Darren Craig is an Associate Partner within Northdoor plc– an IT Consultancy specialising in Data Solutions. Founded in 1989, Northdoor has created a consultancy-led engagement model for clients looking to start their GDPR programme. In their experience, the company has found that companies are very confused about the legislation and need advice around the processes […]
Darren Craig is an Associate Partner within Northdoor plc– an IT Consultancy specialising in Data Solutions. Founded in 1989, Northdoor has created a consultancy-led engagement model for clients looking to start their GDPR programme. In their experience, the company has found that companies are very confused about the legislation and need advice around the processes involved in meeting GDPR legislative requirements. The Northdoor Rapid Response programme allows clients to quickly define their strategy, clarify their existing position around data and data security and create a clear roadmap to allow them to progress towards meeting their GDPR target. Once the roadmap has been defined, Northdoor has a combination of consultancy services and a series of solutions to detect, encrypt and secure client data to ensure that their environment meets their needs. Here Darren tells Finance Monthly more about the GDPR-related services that Northdoor offers and the challenges that UK businesses are faced with less than 6 months before the looming deadline.
With the European Union General Data Protection Regulation coming into effect in May 2018, in your opinion, what are UK companies doing in terms of preparing for GDPR?
I think that so far, many companies have spent a lot of time educating themselves and building their awareness of what GDPR is. We’re finally beginning to see companies that are starting to implement programmes of work. However, there’s still a large percentage of companies that we talk to every day that haven’t even started their formal programmes yet and don’t expect to start one until January next year.
Do you think that this will give them enough time?
It depends on the size of the company, but I think that there will be a lot of British companies that won’t manage to be fully compliant by 25th May 2018.
Why do you think so many businesses in the UK have yet to initiate a GDPR compliance programme?
I think it’s a mixture of reasons. One of them is connected to the lack of marketing in relation to GDPR that the Information Commissioner’s Office (ICO) has done. I’m under the impression that a lot of companies think that GDPR is just another version of the Data Protection Act, which is not the case. It is in fact a very significant change, when compared to what the Data Protection Act expects them to do.
What are the first steps towards GDPR compliance?
The first step is understanding the gaps within your business. It is fundamental for businesses to accept that data protection is not just an IT issue – it’s a cross-business challenge that requires all departments to come on board as part of the GDRP project and identify the data protection gaps they have between their current processes.
What does a typical GDPR compliance project entail?
As mentioned, the project itself starts off with a gap analysis where companies identify the gaps they have. This is then followed by a discovery exercise in order to identify all the personal data information that the business currently processes. The third stage of the project is then taking that data and mapping it back to a process within the business. Finally, companies have to carry out a Privacy Impact Assessment (PIA) against the process – only then they fully understand the amount of work that they need to do in order to become GDPR compliant.
When assessing compliance, what areas do you find businesses commonly struggle with?
The most common challenge relates to marketing. Traditionally, companies use marketing data from lots of different sources, but under GDPR, they will require explicit consent to be able to use this information going forward.
The other challenging area is HR – the requirements are for Human Resources to make sure that they have the right legal basis in place to process their employee information.
The third area where we see companies struggle is third-party supply chains. Under the Data Protection Act, the supply chain wasn’t liable, however, under GDPR, the supply chain and the owner of the data are equally liable. Thus, there’s a legal requirement for every company to ensure that the third-party supply chains that they work with are also fully compliant.
Can you tell us more about the work you’re doing in the field of GDPR?
The work we’re primarily doing at the moment is advisory work where – helping companies understand how much work they need to do around GDPR compliance and establish their project plan.
Why should companies choose Northdoor to help them with their GDPR compliance projects?
Northdoor is not a company that’s just jumped on the GDPR band wagon – we have been a business for over 28 years and our key priority is to advise clients and help them manage their information assets effectively. We not only advise them in relation to compliance of data, but we also help them secure their data and get value from it. We manage the whole lifecycle of information assets throughout the business and this has always been our core focus.