As publishers prepare for the arrival of new data protection laws, Bridget Shine reports on the IPG’s work so far
“Here’s a little project you’ll enjoy working on while I’m away,” I said breezily to the IPG’s Nikki Grogan
as I headed out of the door on holiday last July. “It’s called GDPR.”
There is a lot of information
out there about the GDPR—General Data Protection Regulation—that comes into force on 25 May. So much so, in fact, that it can be hard to know where to start. Like many of our members, the IPG has a small team with big workloads. But like every business, we need to ensure that we are compliant with the new regulation.
Being indefatigable optimists, we have approached the changes as an opportunity to review all our systems and processes—not just to make us compliant, but to make us more streamlined and an even leaner machine. Will we feel quite so positive in a few months’ time? We’ll see!
From last summer Nikki has immersed herself in GDPR guides, webinars and other resources. The IPG identified the areas we had to focus on, and quickly realised that we needed someone to guide us. Every business is different, and there is no one-size-fits-all solution for something as far-reaching as this, but we will not be alone in needing help—so we approached a specialist, MAGNEZIUM
, for an assessment of our current work.
To prepare, we compiled a summary of our systems and processes. We soon realised that to comply with GDPR we needed to make sure that everyone in the IPG team understands how the changes may impact their role and the IPG. We have made GDPR an agenda item at our weekly team meetings ever since we began this journey to compliance.
Our one-day meeting with MAGNEZIUM walked us through an online questionnaire. The value of having someone to guide us—and, from time to time, translate what things meant for the IPG—was huge. It was seven hours well spent.
A fortnight later we received our comprehensive report (see an example
) and defined our next steps. Every business will have different needs of course, but here are the six ensuing strategic actions that we are now taking to reduce our risk and become GDPR-compliant.
1 Appoint a Data Protection Officer
A Data Protection Officer (DPO) has responsibility for an organisation’s data security and privacy and GDPR compliance, and acts as a primary contact for the Information Commissioner’s Office if needed. Given our size and resources, we won’t be employing a dedicated DPO, and these duties will fold into an existing role—one that is independent of the chief executive’s responsibilities and so without conflict.
2 Embed a DSAR process
Post-GDPR, organisations will need to be able to respond to anyone who wants to see or change the way their data is used and managed. Putting in place a process for any such Data Subject Access Request
(DSAR) will help to reduce workloads in the future.
3 Adopt ‘Privacy by Design’
We are adopting a ‘Privacy By Design’
process to ensure that any changes across people, processes, technology or data are GDPR-compliant from the start, rather than added on later.
4 Gain appropriate consent
We understand that we need appropriate consent from individuals for the processing of their data. This means we will be contacting members to let them know what personal data we hold, and get fresh consent for our storage and use of it.
5 Remove unnecessary data
While we ‘clean’ our data regularly, we don’t have a formal data retention policy. We are now assessing all the data we hold and will dispose of any ‘old’ data before 25 May. We will introduce a formal data retention policy too.
6 Review all contracts
All the contracts or agreements we currently have in place now need to be reviewed for GDPR compliance. We are working towards a Data Protection Impact Assessment
(DPIA) that will identify any gaps in our current agreements and will hold controllers and processors accountable for compliance.
What we've learned so far
We are in the thick of our GDPR preparations, and have already learned several valuable things. Firstly, that this process is so important that it needs to be driven from the top of an organisation down, with all team members engaged to some degree. Secondly, we would not be as well informed about the requirements of GDPR had we simply completed an online tool; the support of experts is important. Thirdly, GDPR demands the investment of time and at least some money, because no-one can afford not to be compliant. We’re all busy—but as well as getting ready for new regulations, this is an ideal time for any business to improve systems so it can operate even better.
See also this IPG blog about the basics of GDPR, this report on a session about it at our November 2017 Quarterly Meeting, and these ten tips for collecting and storing data on the IPG Skills Hub. The Information Commissioner’s Office has , and there is more detailed advice from Croner in and . IPG members also have free access to the Croner Business Support Helpline, which provides advice on issues including law, HR, tax and much more. For details of how to access the Helpline, click here. The IPG will be providing more resources and case studies about GDPR in the next few months, including at the Annual Spring Conference from 7 to 9 March.
is offering IPG members a 10% discount on its GDPR-related services. Contact Matt Smith
if you would like to take advantage of this special deal.