As a privacy professional, a question I often get asked during client meetings is how long will it take to implement the GDPR. Truth be told no one expects an honest answer. GDPR implementation is taken to be something mechanical and what people want to hear is that having a compliant privacy program in place is as quick as downloading a software. So, when it is told that GDPR “implementation” will take months altogether, it is often seen as a deal breaker!!

Any privacy program framework implementation and consequent steps take somewhere from 5 to 8 months (also depending on the size of the data an organisation is dealing with) to give you a complete privacy framework of your own and even after that, a privacy program is a way of life of an organisation, if it may be put so. Privacy program management is more and beyond a one-time activity. Since the volume and type of data that an organisation would choose to receive is dynamic, so is your privacy program! You have to nurture it and keep at it!

In essence, a privacy program management can be broadly contoured as follows:

1. Planning– prepare a data inventory and map data, have a record of processing activities, conduct meetings with the relevant stakeholders, undertake gap assessment and analysis, review existing policies and procedures, form a core privacy team etc. ;
2. Execution- map existing info-sec controls to GDPR, institute privacy by design (“PbyD”) guidelines and putting PbyD into practice, train relevant stakeholders on the basis of their roles in the organisation, have draft templates for various agreements in place, have rules laid out for the Data Protection Impact Assessment (“DPIA”) process, have data retention policy in place, have an incident management system in place with appropriate breach notification procedures, undertake monitoring and reporting, having in place mechanisms for cross border data transfer etc.; and
3. Improving– undertaking compliance audits, review and update the policies, basis the manner in which systems react to the privacy framework tweak your privacy program, assess need for DPIAs, review cyber security measures etc.

An organisation’s commitment to its privacy program is reflective of whether it wants to build a trust relationship with its customers. It is more than just something that is going to have a monetary impact on you, it is something that will have an impact on your goodwill or reputation, and we all know why goodwill reflects on the asset side of a balance sheet!

Be it compliance with the GDPR or the much awaited Indian legislation on personal data protection, my advice to all privacy professionals in India would be acquaint businesses with the fact that having a compliant privacy program in place requires concerted and sincere efforts spread over a reasonable period of time! A privacy team must not be viewed as a cost center simpliciter ignoring the competitive advantage that gets added to your organisation once you get the privacy management bit right!

After all, whatever is worth doing, is worth doing well!