Here's our tips on how to plan rather than panic
The deadline for GDPR is now less than six months away, and to judge from surveys carried out by vendors and publishers, there’s a significant number of organisations who don’t think they will be ready for it on time, while some say they have barely even started on planning for it.
But what do “ready” and “on time” mean in this context? That was one of the most interesting topics that arose last week, when I participated in a round-table discussion of GDPR with people from around the data industry. We all had different perspectives on the topic, yet we found a lot of common ground to agree upon.
One of the biggest issues with the GDPR is that it is not directly prescriptive. It is more of a journey, and compliance Is not something that you can buy off the shelf. Compliance is a corporate mindset, one that must be implemented via processes and policies, although of course having the right technology foundation will make it easier to implement those processes and simplify the task for your people.
Despite its reliance on terms such as ‘fair’, ‘reasonable’ and ‘appropriate’, which will probably need to be tested in court, the GDPR is widely expected to become the de-facto standard for privacy world-wide. One reason is simply that any organisation anywhere which deals with the personally identifiable information (PII) of EU residents must follow the GDPR, so it makes sense to apply the same rules to all the PII that the organisation handles.
So if your organisation is one of those that doesn’t expect to be ready by ‘GDPR Day’, what can you do? The vital thing is to plan, rather than panic – all the signs are that the data protection regulators’ main aim is to help, not punish – there’s no indication that they will be issuing €20 million fines from day one.
That said, it is absolutely essential to engage with the GDPR and show willing – to show you have already taken steps, and that you have a road-map for more. The regulators will not tolerate egregious or reckless disregard for the GDPR – indeed, I expect them to be on the look-out for organisations behaving like this. Hitting one of them with a fat fine for a reckless data breach could be just what’s needed to encourage others to fall into line.
And for many organisations, GDPR compliance may not be that onerous, especially if you already handle customer data fairly and transparently, and if the processing of PII is not your main business. As one of the others commented, “If you’re compliant now, that’s a good starting point.” Yes, GDPR does add to the requirements – in particular, most will need extra record keeping, plus you must have procedures for breach notification and people have new rights over their PII. However, the compliance mindset and the underlying processes should carry over.
With all that in mind, here’s some top tips culled from my notes. They are not exhaustive, nor are they in an absolute order, but they are all key steps along the road to working with the GDPR, not against it.
- Understand the GDPR, taking advice from a specialist lawyer if need be. There’s also some useful apps to help you – have a look on your preferred app store.
- Assign key responsibilities and give them the authority they need.
- Data discovery – understand what you have, where it lives, and how it’s protected.
- Identify which of your data sets is covered by GDPR. Not all of them will be.
- Check what compliance and protection capabilities are already in place and locate your GDPR gaps. Ensure you have the necessary consents in place, or plan to get them, but don’t forget that consent is not the only lawful basis for processing PII.
- Assess your risk exposure and prioritise – if you can’t comply in every area by May, make sure you cover the most important ones first.
- Minimise what data you collect and hold. If you don’t need it, delete it.
- Don’t be afraid to ask your national data protection regulator or information commissioner’s office for advice. The regulators are not out to entrap people – their job is to promote and assist compliance
- Build a road-map. Not only do you need a plan anyway, but if something does go wrong it demonstrates your willingness and may help mitigate any punishment.
- Use it as a catalyst for change. That probably means doing things that you should have done already, but were too busy or underfunded for – database cleansing, identifying best practices, improving your data security posture, modernising and consolidating your data protection systems, etc.
In summary then, whether you’ve already started your GDPR planning or not, don’t despair! Some organisations – those who hold little PII, or who touch it only in one place, say – should find it relatively easy. It will be harder for others, but even here the key thing is to get moving as soon as possible, cover as much as you can by GDPR Day, and have a solid road-map for covering whatever remains.
And in any case, these are all things you should be doing anyway – in this respect, GDPR is merely the motivating force that will embed them as the standard operational practices that they already ought to be. Things such as access controls and the ability to thoroughly delete data, and of course having in place privacy policies, documented procedures and properly negotiated contracts.
Hearty thanks to my fellow GDPR-watchers for their expertise and observations: lawyer Renzo Marchini from Fieldfisher; Joe Garber, the global head of product marketing, information management & governance product group at Micro Focus; Ross Jackson, vice president of customer transformation & innovation at Mimecast; Stéphane Estevez, the worldwide product marketing manager for backup and DR at Quantum; Danny O’Neill, senior manager cyber security UK at Rackspace; and Ricky Patel, UK&I channel sales director at Wasabi.