GDPR. A long journey. In every sense of its meaning.
As a start, the General Data Protection Regulation (GDPR) arriving next year (May 25th 2018) marks the end of a very long journey. One that started with Data Protection laws crafted in a different age, for a different age – over 20 years ago to be more precise.
If you think about how much technology change and development has walked through our doors in the past 20 years, it’s a wonder the GDPR has had such a long journey.
GDPR. A long journey
For those trying to make sense if it, certainly. I can read pretty well. And am used to comprehending complex narrative. And the regulation itself, written in a very accessible way, is nowhere near as long comparative to its wide-reaching impact. That is not the long journey I’m referring to.
But the meaning. Understanding the meaning behind the legislation change is the long journey that I and many have been, or are currently, on.
At a conference in The Hague in May 2017, focused on Privacy and Security in the Telecommunications industry (link), I repeatedly heard interpretations of what GDPR would mean for me. In the end, however, that is for me to decide.
And therein lies the journey.
No-one truly knows:
- How fines will be dished out
- Who will get fined, and;
- For what compliance transgressions
The regulation is not a compliance ‘to do’ list. It’s a framework that can be interpreted. The trick is to understand the impacts on your company and current working practices. And to envision required changes to those practices.
In an indirect quote from the UK data commissioner Elizabeth Denham she stated that no organisation can realistically be GDPR compliant. It’s a set of guidelines that, for all our efforts, we will at some point fall foul of.
So when I say getting GDPR compliant is for me to decide, it really is. Specifically, how do I want to approach getting my company GDPR compliant?
How do I want to approach getting my company GDPR compliant?
If, as the UK Data Commissioner suggests, no company can truly be GDPR compliant, it is important I create a set of working practices, supported by the right systems, that demonstrate my willingness to get and stay GDPR compliant.
As a risk management strategy, demonstrating I have repeatable and auditable processes that are designed to leave me compliant is a robust position. A position that I’ll be sure to articulate early when discussing the contributory factors surrounding my first GDPR transgression with the ICO…when that time comes.
It’s inevitable after all. That’s why I need a strong position from which to negotiate.
GDPR. A long journey
The length of this part of the journey will really be decided by the size of your organisation, the resources you have at your disposal, the reach and so on. My company’s journey should be considerable shorter that those of Google or Microsoft for example, despite the vast difference in available resources.
And here you have choices. Choices in what Risk Management strategy to employ. Perhaps too many choices. For all organisations the end goal is simple however – reducing risk.
Delete. Strategy one.
Use a search engine, find a GDPR consultancy, phone them up, buy a couple of hours advice on your credit card and ask the question: What is the quickest way to get GDPR compliant? You’ll likely be advised to delete as much data as you can.
As a risk management strategy, it’s effective.
Cheap and quick to implement. And, potentially, the ratio of lost corporate knowledge versus risk of fine (to a maximum of €20m or 4% global turnover, whichever is greater) is appealing.
But it’s path that many orgs will be unwilling to tread…wholesale, at least.
Corporate knowledge is power. The power to business plan, leverage and monetise. That data, managed and handled correctly, can be a valuable asset.
Migrate. Another strategy.
Migrate from hard to manage sources such as file shares, or poorly implemented document management systems with limited taxonomy and search capabilities.
But before you can start that process, you have to understand what’s there, and classify it accordingly. Moving a problem from one system to another still leaves a problem.
Manage. The intelligent strategy.
Look at a confident and relaxed business leader being interviewed and what you’re actually looking at is a person with a competent team and reliable data behind them. Making a statement based on demonstrable fact is a comfortable position to come from.
Holding a conversation with an ICO auditor on audit day one is no different a situation.
Implementing technology that can support the enforcement of your well thought out policies will not only complement staff training on data handling, but will provide a convenient focal point for audit.
Audit. Define. Delete. Migrate. Manage. The realistic strategy.
And so here we are. The most likely and realistic strategy for organisations.
1. Audit – Work out what you’ve got, on who, in which system and why
2. Define – Document policies based on working practices, data generated as part of day-to-day operations, current data held, data risk versus value of data, current systems and their suitability
3. Delete – Data that offers no corporate value but presents high risk
4. Migrate – Content that has high corporate value but presents high risk in current location
5. Manage – Implement data management controls and process automation technology to make that ICO conversations much simpler
What should I be looking for in systems…
What should I be looking for in systems to support this realistic strategy?
Well here’s a simple checklist for the things I’ve looked for. You’ll find some items that could sit comfortably under multiple headings. And your situation might demand a slightly different list. But for most orgs it will be a good starting point.
GDPR Technology Tools Capability Checklist
- Can my search and classification technology span all the systems in my organisation?
- Can I get a unified view across all my corporate systems about what data I have?
- Can I see what amount of data will likely fall under the GDPR?
- Can I identify what data contains PII and sensitive PII?
- Can I implement one GDPR corporate taxonomy across all data sources?
- Can I implement and enforce data handling policies across all systems in real time?
- Can I implement data handling processes in a repeatable and auditable way?
- Can I demonstrate a repeatable and auditable process for handling data handling exceptions?
- Can I automate remediation activities as part of data handling exception management?
- Do I have the mechanisms in place to turn Subject Access Requests around in under a month?
- Can I automate the verification of Data Subject identity as part of Subject Access Requests?
- Can I implement a right to be forgotten request in an automated and auditable way?
- Can I update information held on Data Subjects in an automated and auditable way?
- Can I keep Data Subjects up to date with the progress of their Subject Access Requests in an automated way?
- Can I limit manual handling in the management of data handling exceptions and Subject Access Requests?
- Can I quickly and easily add new data sources to my corporate data management systems?
- Can I adapt compliance processes quickly and easily while still maintaining the right controls?
- Can I get visibility across all data handling exceptions and Subject Access Requests including:
- Adherence to SLA
- Overdue and soon to be overdue cases
- Risk profile
- Repeat requests versus new requests
- Request volume trends
- Process stage breakdowns
- Can I see where data in my corpus is ‘near missing’ my GDPR and PII taxonomies?
- Can I adapt and refine taxonomies based on reporting outputs?
- Can the technology fit into existing systems and processes in my organisation?
- Can the technology complement existing processes rather than having to rip and replace?
- Can the technology be delivered on premise, public cloud, private cloud or hybrid as is appropriate?
- Can the solution be implemented and delivered with a low code / no code approach?
- Can the solution be maintained and adapted over time without the need for long development cycles and waterfall project planning?
If you get anywhere near that list, you’re on the right track.
Summary – GDPR. A Long Journey
From it’s long overdue need, to the potentially long, complicated and tiresome path many organisations will have already started towards compliance, one thing is certain – the journey will be littered with missed opportunities.
Opportunities for organisations to take control of the situation and turn threat into business and reputational advantage.
One company’s pain is another’s profit. Time to choose sides.
About the Author
Simon Wright is the CEO of Britecloud (LinkedIn) a UK software distributor specialising in cloud-based security, compliance, process automation and productivity solutions that drive value and return-on-investment for organisations of all sizes.
Britecloud recommends process automation tools in ‘The Nintex Workflow Platform’ from Nintex to reduce the impact of changing business regulation and compliance on your organisation. For more details on the upcoming webinar Contact Us or call +44 (0) 203 876 5221 to discuss how quickly you could start adapting your business today.