Working in an enclave eliminates the learning curve that other people and organisations can bring to the table. As part of the volunteering with the Chartered Quality Institute – London Branch, we aim to deliver around 2 events a quarter. Earlier in 2018, many institutions were organising talks about GDPR. We did not want to be yet another talk. We decided to wait and arrange something that will highlight the lessons learned from the go live date of the regulations.
Having a speaker; the consultant who helped the CQI implement a framework to comply with the regulation; was a quick win. Emmanuel Lazaridis is a data scientist with extensive experience spanning from hardware to software, data collection to data visualisation, and data protection. The event was well attended and Emmanuel covered three main topics:
- What the CQI did to implement GDPR
- How to ensure vendors outside the EU are assisting in the implementation
- The importance of notice and personal data processing
Emmanuel went on to provide attendees:
- Lessons learned thus far
- Fines and penalties
If you are a GDPR “fan” or simply involved with data security your work environment, this event would have been fit. But this blog is not about GDPR, but about how the CQI ended up mapping their processes to ensure compliance.
How many times have you stepped back from the chaos of your daily operation and looked at how your processes interact within each other; and most importantly how you are customers interact with them.
For example, when looking at all of the areas that tackle personal data for customers – internal and external – the CQI identified that the membership area is the area that interacts with personal data the most, followed by Human Resources. Partnerships is the area is the least that does so. As a Quality professional, understanding the source of your data is a the foundation of any fact-based decisions.
Now that the source of personal data is understood, Emmanuel took a deeper dive into the legislation itself. To ensure compliance with GDPR, any institute could operate on the basis of consent. This would have actually made any interaction lawful. However, Emmanuel said that this would have been a weak approach to compliance. TO better secure compliance and a stronger implementation of the regulation, the institute went on to implement GDPR based on the following: the legitimate interests go collecting and processing data, the performance of a contract, he protection of vital interest between parties, the need to perform a task based on the public interest, and the compliance with a legal obligation.
By doing so, and mapping the above reasons to the processes earlier mapped, the CQI identified that they can operate in compliance with GDPR with 41% of their data collected and processed based on legitimate reasons, while 19% on consent basis.
This exercise was an eye opener and a very insightful. To me personally, this was very helpful because it combined process mapping with the foundations of scoping in project management. Emmanuel continued to discuss how it is important to bring the vendors who operate outside the EU in line with the compliance, the importance of notice and some of the penalties, shedding the light on the Data Protection Act of 1998 and the newly implemented GDPR.
Emmanuel hosts several meet up in London and the UK for GDPR followers to continue to shed light on the regulation itself and discuss key clauses.