At Rise we are truly lucky to be immersed within a community of experts. Each individual has their own talent, opinion and knowledge. We decided that instead of writing what we thought of the world and the industries we all work in, why don’t we ask them?
This has part of our series of Q&A style articles that we hope will inspire you, educate you, and or empower you.
We had a chat with Mark Gracey who is a Data and Privacy Compliance Expert and spoke all things compliance, GDPR and the transition of working for yourself…
RISE: What is your name and your job title?
Mark: Hi, I’m Mark Gracey – I never know what to put as my job title as I run my own business, guess “owner”, but I tend to introduce myself as a data and privacy compliance expert, so maybe I need a job title that fits that…
RISE: What was it like jumping from being employed to working for yourself?
Mark: Generally I found the transition very easy, but once you get under the hood of running your own business you quickly realise its much more complicated than just delivering the service – you have to be the marketing manager, the accountant, the sales person and so on, but it’s very exciting knowing you’re in charge but some days quite daunting too. I love the fact that I call the shots – the success of the business depends on me and that’s very empowering. It’s hard work for sure, but I absolutely love it.
RISE: Since May last year do you think the world of compliance and GDPR has dramatically changed? Are we all WAY more accountable?
Mark: Data protection compliance in general hasn’t changed – we’ve had a comprehensive data protection law since the late 90s, but what the GDPR did when it came in last year, amongst other things, was to remind businesses that data protection compliance exists and is important for all businesses no matter what size or sector. It also raised awareness amongst data subjects (customers, employees, etc.) too, meaning they’ve been reminded that they have certain rights (and some new ones) and can challenge organisations about how their data is being processed.
As for accountability – well on the one hand we’ve always been accountable for our own compliance, but what the GDPR has done has raised the bar somewhat, with the new accountability principle which means it’s not just good enough that you think you’re compliant, you have to prove it too. It’s a big deal, particularly as we come round to the anniversary of GDPR enforcement – businesses have to prove they’re compliant now, next week, next month, next year… not just last May.
RISE: For those interested in getting into compliance, where would they start?
Mark: There’s a number of routes to compliance. There’s obviously the legal route, where you can study law and then specialise, but having a law degree isn’t a prerequisite. You’ll need an interest in law and be able to understand legal concepts and it will help in being able to translate complex laws in practical application.
My route into compliance came about 20 or so years ago. I’m a “techy” by nature (I have a Computer Science degree) and was working in the Network Operations Centre of a well known internet service provider and had the opportunity to move into the legal team and act as a “translator” between the legal team and the techies. That began my career in internet regulation, telecoms regulation, content liability and of course data protection (I became a data protection officer when the 1998 Act came into force). So I’m not a lawyer by trade, although I do have a Masters Degree in Computer and Communications Law.
RISE: Is there any advice you would give to businesses now we’re nearly a year on after GDPR has been enforced?
Mark: Make sure you’re still compliant. The GDPR requires you to review your compliance and so you shouldn’t think of GDPR compliance as just something you did back in May 2018. You’ll need to look at everything again, perhaps not in as much detail as you probably did last year but you need to (a) make sure your documentation, policies and employee training is up to date, etc. and (b) that your internal processes for dealing with day to day compliance still work (e.g. dealing with breaches, subject access requests and other individuals’ rights, etc.) You should also be keeping on eye on developments in the data protection and privacy as guidance and approaches to enforcement can change over time.
This is the focus for a new e-book I’ve produced which provides a framework for managing ongoing compliance or a 10 item checklist of things to check you’re still doing right.