by Myles F. Suer

When it comes to GDPR, are CIOs finally ready?

Jul 18, 2018
CIOIT LeadershipPrivacy

GDPR is a significant change for all organizations. The question is how prepared are organizations to respond of all of its edicts?

Now that the build-up to GDPR is over, I wanted to get a sense for CIOs progress at implementing GDPR. Given this, I asked the #CIOChat which covers a broad range of industries. Their answers should be valuable to all working on their GDPR journey. To be clear, CIOs say there is work still to be done!

Do you have a good feel for the impact GDPR has for your organization?

CIOs say many organizations still have a limited understanding of how GDPR impacts their business. More importantly, they believe there are many GDPR facets still needing to be worked out. Having said this, the CIOs in the #CIOChat claim that they personally have a good feel for the impacts of GDPR.

CIOs said they have a policy that responds to GDPR. When asked about what changed with the policy, they claim that it raised their “compliance bar”. From a “technical” perspective, they say GDPR, like other compliance requirements, makes sense for systems and data. They say, unfortunately, the business and legal perspectives, are not as clear. One CIO, however, said they built out a cross functional team two years ago. For this reason, the impacts were visible to the entire organization.

CIOs believe that when GDPR was created, the European regulators clearly had big companies like Google in mind. These organizations, they say, have the people to readily make the required changes. CIOs, however, believe the law is a burden to smaller companies, colleges, and healthcare organizations that don’t have the resources of a Google.

What are the biggest changes GDPR is forcing on their organizations?

CIOs suggest that GDPR has afforded them an opportunity to revisit their broader privacy policy as well as to educate their teams about why privacy matters. Given this, CIOs say GDPR can be a positive catalyst for fixing privacy concerns. CIOs suggest GDPR, therefore, represents an opportunity to revisit, review, and revise governance around data and privacy. CIOs believe sector-by-sector machinations around gaps are wasteful in terms of time and resources.

They say that one of the core issues with GDPR is the need to know where your customer data lies.  But there is more to this. You need to deal with your data silos by integrating customer data and enforcing consistent data governance rules to ensure data is correct and removed when there is no legitimate purpose for keeping it. If organizations don’t invest in these capabilities, they will struggle to address the data governance demands of the GDPR.

Most organizations, CIOs say, do not have the fundamentals in place. CIOs say from experience, they believe the case law will ultimately determine what is or is not reasonable. CIOs stress that GDPR is a lot more than the ‘right to be forgotten’. It should drive, CIOs say, a simplification and streamlining of data within organizations.

How well do your business leaders understand GDPR and how it impacts their business processes?

CIOs say GDPR certainly impacts business leaders. The impact, however, depends on how well-governed a firm already is regarding data and privacy. Many CIOs say they were GDPR-ready way in advance. Others say that the impact will be understood when their organizations embrace privacy as a concern for their organizational mission. Amazingly, there are business leaders, with all the hacks, that still do not get the business impact for privacy.

Having said this, CIOs say there tends to be great concern about GDPR and a desire to understand how to comply. They say that this is a ripe environment for ‘privacy powwows’. CIOs say some organizations are struggling to understand what needs to be changed or the impact of GDPR upon business processes. There is especially a lack of understanding about where data resides. CIOs say it is important at any collection point that the business knows what they’re collecting and why they are collecting it. CIOs, say that they cannot think of any data collection (forms, web pages, etc.) where there shouldn’t be intent behind what is being collected.

CIOs suggest that in many ways, GDPR is a catalyst for organizations to rethink how they manage, structure, protect, track, copy, and delete data. With this said, CIOs say this is much easier said than done. For this reason, CIOs say, unfortunately, many business leaders don’t have a clue to how complicated GDPR is making data management. CIOs say their business leaders may understand that they need to meet GDPR compliance but do not always understand the total business impact. CIOs suggest that it is often their job to explain GDPR and map it out. They say it helps to start the discussion by acknowledging the need for business process improvement. CIOs say that they need to help here with the business processes and technical underpinnings needed to redefine how data is managed. CIOs suggest that businesses cannot merely segment/segregate data to comply.

Getting clarity on data protection impact is trickier. Various internal teams and external partners can share and exchange data. However, not everyone should have access to the sensitive data that flows through enterprise business processes. Data management and security are required to ensure there are adequate controls for how sensitive data is handled.

What learnings have you had so far from GDPR that could be valuable to other CIOs?

CIOs say that it is important to think with CDOs about establishing data stewardship. Everything needs to be rethought in conjunction with data stewards. The truth is GDPR is much bigger than IT. CIOs say the vendors in the data management space along with the business users who drive the data usage are part of the challenge.

CIOs say the regulatory environment in the U.S. hasn’t helped. The sector-by-sector approach reflects how out of hand it gets. CIOs don’t mean to imply that blame lies elsewhere. The US, however, does not have a fundamental right-to-privacy.

Regardless, it’s time to get the ‘data house’ in order. CIOs suggest that GDPR has brought a magnifying glass to the level of disarray in how organizations manage systems and data today. The baling wire and chewing gum is on full display—the legacy debt as many CIOs like to describe it. One CIO suggested that GDPR has reminded him that data problems at their organization are more serious and worthy of fixing.

CIOs say we have done ourselves a disservice too. We can’t blame the US regulatory environment for everything. Privacy is a concern that requires digging into and studying. It takes time and reflection. They suggest CIOs do the following: 1) read the proposed policies; 2) understand every line; and 3) partner with experts.

It’s very important to know where your customers’ personal data lies in your organization and how it flows throughout, regardless of the GDPR. It is important to answer the following questions:

  • Do you have a data map?
  • How is your data shared?
  • Do you know when additional consents are required?

If this exists, you have a good starting point. However, most are somewhat flawed and missing core components. It needs to be balanced against other enterprise priorities and legitimate interests. For this reason, CIOs suggest a risk-based approach can be used to clarify best path forward.

If you could turn back the hand of time, what would you have done different?

CIOs say they would have started earlier. They say they would have worked on the ‘business context of data’ rather than had the data bits at the center. CIOs say that most organizations don’t want to wait to have their organization’s data strategies be tested in court. They are clear progress has been made, notifications have been sent out, but they think they aren’t as prepared and compliant as they should be.

One CIO said, “I would have done with data what I’ve always preached with agile and DevOps. I would have gotten ahead of the problem because “the only easy day was yesterday”. CIOs are candid there is not a way to back in or retrofit data management into the project portfolio. They suggest as well that an IT-first point of view doesn’t help enough with GDPR. They say that customer data resides in email, spreadsheets, documents, and databases. And that is just the start.

CIOs say the point is we–IT and line of businesses–have a lot of work to do. In the past, the ethical treatment for personal data was rarely a priority. Privacy was viewed as an obstacle to business, instead of a business enabler. You could not gain a competitive advantage by embedded privacy into one’s operations. All that has now changed. Having said this, Ann Cavoukian, author of “Privacy by Design”, said the US will need to adapt to GDPR if it hopes to continue doing business and engaging in trade. That’s why there’s been so much interest in ‘Privacy by Design Certification’.

Parting remarks

It is clear there is more work for CIOs and their business partners to do with GDPR. GDPR will not be an easy journey forward; but in the end, it will clean up data management and make privacy real for Europeans and maybe even those whose countries lack privacy legislation.