"It may come as a surprise how many third parties see and use your data."
EMEA Privacy Manager Alan Curley of Johnson & Johnson on 10 ways for companies to get GDPR ready
What's your name?
Alan Curley
What position do you hold?
EMEA Privacy Manager, Johnson & Johnson
How long have you held the position?
18 months
What are your day to day responsibilities?
I have privacy oversight and responsibility for Janssen Pharmaceutical Division of J&J in the EMEA
What is your professional background?
I have 10 years experience in privacy and compliance roles prior to this, in the Healthcare
and Telecoms sector.
Tell me about yourself away from work?
I am keen sports enthusiast. I recently completed the Dublin City Marathon.
Tell us something very few people know about you?
I once tripped over a Head of State by accident. Very embarrassing at the time!
You are speaking at our GDPR Summit in December. What are you speaking about
I am participating in the Panel Discussion: “GDPR – making it real”
What major challenges do you see for organisations implementing the new regulation?
I guess the biggest challenge now, is being ready in time. 10 quick wins between now and
25th of May, 2018 might be
1. Remove the pre-ticked box in your customer sign-up journey.
2. Improve your privacy policy. Turn it into a “easy to read” document, that people actually understand.
3. Get somebody on your board to sponsor GDPR compliance. Conversations about Budgets will be much easier.
4. Get that data mapping done. Begin the process of knowing what data goes where. It may come as a surprise how many third parties see and use your data. It may also be a surprise where those third parties are based.
5. Once the data map is complete, task someone with drawing up a list of all the third parties who handle your business data in order find all those third party contracts. You should have a set of reasonable processor terms that you are happy with for thosecontracts with your third parties.
6. International Transfers - For now, it is likely that model contracts will be the simplest way of ensuring compliance with overseas transfers outside the EEA (although now it has been approved, you can also use Privacy Shield for transfers to the US).
7. Talk to your IT team. Do you have a suite of policies or do you have a single page in your staff handbook? Do you impose a security questionnaire on your data processors?
8. Draft a data breach plan with roles and responsibilities defined.
9. Put a records retention policy and a subject access policy in place.
10. You might start looking in to software solutions that assist with documentation. Part of the challenge of complying with GDPR is documenting your compliance!
Alan Curley is appearing at The GDPR Summit. The agenda and further details for this important national event at Croke Park on December 5th, is available atwww.gdpr17.com
