Companies staring down the GDPR deadline either with no plan or a poor plan are probably wishing they could press a button so that compliance with the 2018 regulation would be fast and easy. Unfortunately for them, the Forget Button doesn’t exist. Credit: Thinkstock Several years ago, the Staples Easy Button became a popular advertising gimmick for the office supplies company. Originally just a picture in Staples ads, people clamored for a real Easy Button, so the chain made more than 1.5 million plastic buttons that repeated, “That was easy” when you tapped it. It’s the kind of magic that company executives would like now to solve their GDPR challenge. Companies that weren’t doing a good job of data privacy protection before this new regulation face even larger hurdles now. And, there seems to be a scarcity of data privacy and legal experts available to help: at least 28,000 data privacy officers (DPO) will be needed in Europe alone. Personal data protection laws were first established in the 1990’s. But complying with the GDPR means changes in business practices and processes on a far greater scale. Today’s common business practices, like the more sophisticated CRM programs adopted by most companies, contribute greatly to the complexity of meeting GDPR requirements. And, countless measures that companies plan to take to comply are expected to fall short in many cases. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe According to SC Magazine, “A recent study found 37 percent of global organizations are unsure if they need to comply with the EU’s GDPR standards.” Gartner research showed that, “more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.” GDPR is catch-up compliance. The data, processes and IT environment of most companies are not structured for these requirements. For example, they don’t know which data they possess is forgettable or how to validate that the ‘forget’ has occurred. Article 25 of the GDPR addresses the notion of privacy by design, which calls for minimal personal data collection and retention. In other words, collect only what’s absolutely needed for your business so you don’t have to create extensive measures to monitor or forget it. How often do we all fill out online forms that seem to ask for far more personal data than they’d ever use: name, address, phone, email, age, first pet, color of your house, best man at your wedding, what type of pizza you last had, etc.? Companies haven’t been careful about collecting information; they ask for everything even if there’s no identified need for it. Once the GDPR is in place, data protection by design will become standard when companies develop future business processes. In fact, data collection and retention processes, with privacy and security in mind, will be part of digital transformation initiatives that improve all parts of business operations, not just compliance. But, right now, in the fall of 2017, everyone is focused on how to quickly achieve compliance. So, how do you get started, or correct your course, if these next eight months don’t seem to give you enough time to get ready? There are a number of people and products that suggest really large scale, cumbersome ways to reach compliance. There’s probably not enough time for these and they may represent a much larger investment than is needed. I envision that GDPR compliance can be accomplished in just six steps. conduct a preliminary GDPR impact assessment to understand the potential impacts of GDPR and determine what processes require further assessment identify your compliance priorities … the processes that use sensitive data … and gaps where you aren’t compliant complete the Data Privacy Impact Assessment (DPIA) and describe what measures will be used to mitigate impacts implement a remediation plan that secures business processes and applications processing to support privacy rights track incidents of non-compliance and take the necessary steps to correct demonstrate compliance through key reports on processing activities, data breaches and more With a carefully planned and structured approach such as this, along with tools that can help you carry out these steps, you may not need the Forget Button. Instead, after next May, tap the Easy Button and listen to it say, “That was easy!” Related content opinion AI: Going from sci-fi to business value requires some groundwork AI might be hot right now, but your organization is going to have to do some groundwork first if you want to deliver value to the business. AI can advance digital transformation but before you jump all in, some initial prep and research will pay off By Daniel Hebda Aug 10, 2018 5 mins Technology Industry Digital Transformation Artificial Intelligence opinion Yin and yang: business and IT Whatu2019s the single most important factor that drives your business? If you answered technology, you could be right one day, but business innovation could be the correct answer the next. By Daniel Hebda Mar 27, 2018 7 mins Enterprise IT Strategy IT Leadership opinion How is the tale of the Three Little Pigs a lesson for GDPR? And what will you do when u2013 not if u2013 the big bad wolf comes along? By Daniel Hebda Mar 05, 2018 4 mins Regulation Government Technology Industry opinion 5 steps to build a business case for customer journey mapping Customer journey mapping is crucial to helping your company improve the customer experience and building brand loyalty. Now to argue for it. By Daniel Hebda Jan 29, 2018 5 mins E-commerce Software Digital Transformation IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe