The General Data Protection Regulation (GDPR) is here to stay. The recent fines handed to British Airways (£184m) and the Marriot (£90m) are an indication that the ICO is not afraid to punish those who fail to take it seriously. In fact, the ICO has the capacity to fine up to 4% of global revenue; for BA, the fine would amount to just shy of half a billion.
Knowing that data protection compliance will now become a permanent fixture is one thing, companies still need to move away from the notion that GDPR is a singular compliance exercise and factor it in as an annual health check, one akin to an annual MOT check. A car owner doesn’t wait until the MOT before they undertake maintenance of the car; ad-hoc checks such as tyre and oil checks are completed prior to a long journey.
Effective GDPR compliance mirrors the ebb and flow of data and data points to match any structural changes (i.e. growth, acquisition, new markets) that occur to a company. Companies should perform internal due diligence checks leveraging available tools to ensure they remain compliant. Had the Marriot taken an effective third-party risk assessment, they might have identified the risk posed by their acquisition and avoided the fine.
So how does a company keep the momentum of data protection at the forefront of its agenda and how do they know the extent to which they “measure” up to the standards expected and to others in their sector? Through benchmarking. Benchmarking is the process of measuring the quality of metric within an organisation and comparing to a standard or its peers using a uniform measurement.
In relation to GDPR, benchmarking can be used to measure three different things:
- Where an organisation is in relation to a desired level of GDPR compliance;
- Where an organisation is, in terms of GDPR compliance, as compared to other similar organisations; and
- Progress from one period to the next in relation to an organisation’s level of GDPR compliance.
The value in undertaking a benchmarking exercise in relation to GDPR on a regular basis is that it can:
- Highlight key areas of compliance risk and opportunities to improve;
- Identify the improvements required to keep up with the rest of the industry;
- Demonstrate progress in relation to compliance from one period to the next;
- Provide assurance to the Board and Senior Management team, that the required level of compliance is being maintained on an ongoing basis throughout the organisation; and
- Demonstrate that the organisation takes GDPR compliance seriously.
How to benchmark
Purple recommends a 4–step approach to benchmarking for GDPR compliance:
- Strategy – Decide what the desired outcome of the exercise should be.
- Standards – Decide which criteria the organisation is benchmarking against;
- Methodology – Decide on the testing method(s) and who will be involved;
- Repeat – Re-run the benchmarking exercise on a regular basis.
Plan the scope of the benchmarking exercise.
- Decide whether the goal of the benchmarking exercise is to measure internally against the standard required by the legislation, or to benchmark externally against similar organisations in the industry. The goal will determine the approach taken. If an organisation decides to benchmark externally, an additional step will be needed to ascertain what information is available publicly to conduct this exercise. Alternatively, engage a third–party consultancy who will likely have that data available as a result of work with other clients.
- Decide what level of compliance the organisation is seeking to achieve. Some organisations will look to achieve a base level of compliance, i.e. the bare minimum and will score against that. Others will want to achieve a greater level of compliance and will therefore measure against a higher standard. The level required may be determined by the type of data being processed, the industry, or geographic area within which the organisation operates.
Identify what the organisation is benchmarking against.
- To benchmark GDPR, it is necessary to understand the core requirements of the legislation and decide on the criteria which demonstrate adherence to those requirements.
- For smaller organisation, the assessments available on the ICO’s website may a good starting point: https://ico.org.uk/for-organisations/data-protection-self-assessment/controllers-checklist/. For larger organisations, Purple recommends more granularity is required and it will be necessary to read the legislation itself, to identify the key themes of GDPR. Additionally, the ICO’s website provides mandatory and desirable criteria to meet some of the principles of GDPR.
Once it has been decided what is being benchmarked against, it will be necessary to decide upon the methods which will be employed to test where the organisation is against the standard required.
- The methods that could be used are many and include surveys; checklists; interviews, documentary review. Purple recommends that a mix of both quantitative and qualitative methods are used because a comparison between data gleaned from both methods tends to produce interesting data in its own right, and produces better quality, more reliable, results.
- Decide who will be the subjects of each method, e.g. staff, volunteers, third party processors and/or customers even, depending on the organisation and its values.
The benchmarking exercise can and should be reused, and so, the work you put into defining the process will pave the way for successive reviews to be undertaken.
One of the core principles of GDPR is the concept of ‘data protection by design and default’, which necessitates a level of proactivity, ongoing monitoring and a need to keep awareness and artefacts up-to-date. The opportunity to re-run GDPR benchmarking at regular intervals supports adherence to this principle by proactively testing that the processes, policies and procedures that have been implemented are working and achieving the desired level of compliance. Purple recommends re-running the exercise annually, or more regularly where there has been major change within an organisation.
Any benchmarking process takes time but, as the recent fines have shown, the cost to support ongoing compliance is worthwhile.
If you are looking to carry out a benchmarking exercise it would be worth considering Purple’s GDPR benchmarking service. Our service:
- Provides and disseminates GDPR awareness across the organisation;
- Reports against key GDPR themes and criteria;
- Leverages both qualitative and quantitative methods;
- Provides a comparison against similar customers;
- Provides a prioritised transformation map of improvements.
For more information, or to make an enquiry, reach out to us at firstname.lastname@example.org