With less than two months remaining until the May 25th deadline, organizations should be well on their way towards General Data Protection Regulation (GDPR) compliance. Privacy’s “new normal” will require you to demonstrate, on an ongoing basis, how you collect, use, retain, disclose and destroy personal information in line with the new GDPR requirements.
This has a significant impact to the IT organization, as the custodian of this information, and is a significant transformational activity for your organization going forward. Those who cannot show compliance with the principles of GDPR by the deadline may face fines up to four percent of global turnover.
It’s important to have a “regulator ready” mindset as you start the process of addressing each nuanced point of GDPR’s 99 articles. Your organization needs a structured, risk-based approach to introducing iterative change in line with GDPR requirements and privacy principles, and my goal here is to help simplify this approach.
GDPR compliance will be an ongoing effort of adopting guidelines, operationalizing privacy compliance and eventually optimizing and getting value from your processes. However, on May 25, you must be able to present a minimal viable product to EU regulators, customers and vendors. We call these your “day one” capabilities, which include:
- an active and engaged Privacy Governance Model
- a drafted and piloted Record of Processing Activities
- a data Protection Impact Assessment (DPIA) workflow that addresses the prior-to-processing tenet of GDPR
- an assigned and onboarded data protection officer
- data subject right processes and assignments in place
- updated procurement standards, templates, addendums, etc.
- a project management office methodology to align with the Privacy Program
- an updated privacy intranet portal with intuitive use cases and helpful FAQs
- board and committee awareness and messaging
- a risk-aligned privacy compliance roadmap dictating what further efforts need to be rolled out
While the above may look like an “alphabet soup” of regulatory speak, the good news for CIOs is that other parts of the business (chief privacy officers, legal, human resources, etc.) play leadership roles in this program as well. However, as with all transformation efforts, IT plays a major part in helping to identify sources or locations for all personal information in scope (data discovery), implementing safeguards to protect the information in accordance with requirements across the entire data lifecycle from creation through destruction (data protection) and developing systems or workflows to facilitate compliance and reporting activities (efficient compliance).
A strong partnership between the IT function and the business will facilitate the race to GDPR compliance in May, but in many ways, it is just the start. Throughout the rest of 2018 and into 2019, your organization should go beyond simply complying with GDPR and start operationalizing privacy compliance and related change across their business processes. These “day two” capabilities, as we call them, include:
- the rollout of a compliance roadmap of all activities required to maintain GDPR in alignment with business risk/complexity
- a record of processing activities updates
- updates to the impact of security and data protection controls based on lessons learned
- procurement and contractual updates
- vendor privacy risk management improvements
- documentation of any interaction with regulators in the event of an inquiry
- IT and IT security process and safeguard enhancements
- standard operating procedure build and implementation
- an employee training and awareness campaign
- privacy governance and compliance reporting
As we move through 2019 and into 2020 and GDPR compliance becomes the norm, your organization must start optimizing privacy compliance. Business and IT partners should work to introduce self-service, on-demand privacy compliance processes and tools that facilitate governance and reporting, and should consider the following actions:
- converging cyber and privacy responsibilities to move to a comprehensive and unified data protection agenda
- implementing improved data protection tools
- optimizing enterprise risk management methodology and related key performance indicators and reporting
- informing employees, vendors, and customers of your improved and compliant GDPR capabilities
Complying with GDPR is just the first step. As your organization moves forward, creating an agile GDPR program founded on privacy principles will allow for easy modifications of the program in the face of changing privacy laws. With the right tools and an organization that understands how to use them properly, your organization will realize value from its GDPR program.