We help organisations to comply with data protection laws and we often get asked to send a quote or proposal to a client explaining how we can help their project team with data protection and what we will charge. Based on our experience, these are our top tips. We hope they are helpful.
Focus on outcomes
Know what outcomes you are seeking to achieve from what you are doing or what you’re asking an external service provider to do. What will you have achieved? Why you’re doing something is always more important than what or how you’re doing. For example, if you already know there is a big gap, why not start by closing the gap rather than by analysing the gap.
Know what your specific organisation needs
Before you request quotes or proposals, make sure you know what your specific organisation needs. All organisations are different and there is no one-size-fits-all. We don’t have a standard proposal that we can send you. It depends on the requirements of your specific organisation. Where is your biggest impact? What is your biggest risk? This applies to all steps.
- Organisations have different levels of awareness.
- Organisations plan in different ways – different organisations need different kinds of gap analysis. Make sure your gap analysis accurately scopes what your organisation needs to implement.
- Organisations need to take different action depending on them, their industry and their current level of compliance.
Our data protection programmes will help you know what your specific organisation needs.
Work out who is going to do the work
Is it people within your organisation or an external service provider? You (and people within your organisation) doing it all is very hard if not impossible. On the other end of the scale, getting an external service provider to do it all for you is also impossible. External service providers simply can’t make you compliant. You cannot outsource many of the actions. I know you’re busy and that you’re stretched but external service provider simply can’t do it all for you. Be wary of anyone who says they can. The answer lies somewhere in the middle.
People within your organisation are going to have to do the majority of the work (roughly 65% of it). You want to empower them with the guidance, know-how and tools to do it fast. This is where our data protection programmes come in handy. With our programme, people within your organisation can do 100% of it. But you might decide to outsource some of the 35% (that which can be outsourced) to external service providers.
Be clear in your RFP or RFQ what will remain your responsibility and what you want the external service providers to do.
Accurately scope what you need
If you ask for quotes or proposals on a vague scope of work, you’ll get very different quotes and proposals from external service providers and it will be very hard for you to compare apples with apples and decide which quote to accept. You have to be accurate on the scope of work and this is usually only achieved through discussion and workshopping the scope. For example, if you want external serviced providers to update your policies, you must tell them how many policies they will have to review, how long they are and give them an example of a policy. You can’t scope some work upfront and that’s fine – in this case ask for hourly rates. Our data protection programmes will also help you to accurately scope the work you need.
Be clear on the sort of quote you want
Be clear on whether you want a fixed price or hourly rates. If you have accurately described the work to be done, the external service provider should be able to give you a fixed price. If you can’t scope some work up front, ask for hourly rates. But always try to ask for and work on fixed price quotes. Estimating hours and hourly rates have serious limitations – alternative billing arrangements are usually better.
Take your time
There is always pressure to make progress and show that you’re taking action. It may be in your KPIs. But if you rush learning and planning (by, for example, putting out an unclear RFP or RFQ), you will pay the price later. Take your time to work out the things mentioned above. Seek advice early and chose the right road for your organisation the first time. Our data protection programmes can help you do this. When you decide when you’re going to do what be mindful of the timelines of the data protection laws you need to comply with (for example the POPIA deadline).
Do some quick wins fast
Make quick progress by doing some of the quick wins first. These are things that are easy to do, cost little and manage significant risks. We can help you identify these through our data protection programmes.
Don’t spend all your budget planning what you’re going to do
Your organisation is going to need to learn (raise awareness), plan (including a gap analysis), protect personal data (implement actions) and then sustain it. Planning is very important but don’t spend all your budget on planning and then have nothing left for the most important thing – actually protecting personal data. As a guide spend about ten times what you spend on learning and planning on protecting personal data. For example, if you spend x on a gap analysis, plan on spending about x times 10 on implementing.
Break data protection projects down into steps
Don’t try to do the whole exercise in one go. Break it down into steps, like learn (awareness), plan, protect (implement) and sustain. Ask for assistance from external service providers for different steps one at a time in series. You will learn a lot from each step, which will help you scope the next step. You might want to use a different service provider for different steps. For example, you should use one external service provider to implement and a different service provider to audit what has been done.
Get your governance right first
The first thing to do as part of planning is getting both your project and data protection governance right. This will enable everything else to fall into place. Brief your governing body, appoint your officer, set up your project, and identify champions.
Data protection is not just about making everyone aware of it
It is very important for people within your organisation to learn and have the right level of awareness (depending on their role) of data protection but remember that making everyone aware is not the only thing that needs to happen. There is much action to be taken to protect personal data. Who is going to do it and is there a budget for the roughly 35% that external service providers can do.
Focus on data protection, not compliance
See it primarily as an exercise in protecting your stakeholders by protecting their personal data and secondarily as complying with the law. It isn’t that important which data protection laws you’re trying to comply with – they are all about 80% the same anyway. Call it a data protection project rather than a POPIA compliance project or a GDPR compliance project.
We need to protect people’s personal data – let’s just get on with it. It should not be because we must but because we want to.