It is great to work in a business where everything moves fast, lots of new developments are on the go and products and services are being pivoted to meet potential new markets. However it is an environment that can generate issues for the compliance team if they are not kept in the loop. GDPR includes a principle of data protection by default and by design which means building data privacy friendly solutions into projects and new offerings.
The key is to carry out data protection risk assessments as part of the initial project viability study. A quick check on the proposed use of data to meet the projects objectives will enable a data protection specialist to highlight the likely data protection issues that will arise and flag potential solutions. It may be that a list of short points where more detailed input will be required is all that is needed as part of the viability assessment of the project and to indicate to other team members where more detailed input will be needed as the project progresses. The aim is to support development not stifle it!
Rarely, if ever, will the data protection issues be fatal to the project. The early stages of a development provide plenty of scope for building in privacy friendly alternatives.
Sometimes the data protection compliance input feeds directly into project planning, for example highlighting the need to build in additional time or resource to put data processing contracts in place, particularly in territories outside the EEA where education of partners about the UK data protection regime may be required before contracts will be signed.
In businesses where a compliance sign off is required at the end of a project it makes so much sense to address compliance issues as the project progresses rather than finding that the project launch is delayed due to the need to adjust processes, particularly those involving IT.
So the message for the business development team is to involve compliance professionals early in projects to make sure that pitfalls, and all the time and cost they entail, are avoided.
Mandy P Webster, Data Protection Consultant