by Daniel Hebda

Unlike the Staples Easy Button, there’s no GDPR Forget Button

Sep 26, 2017
ComplianceCSO and CISOData Management

Companies staring down the GDPR deadline either with no plan or a poor plan are probably wishing they could press a button so that compliance with the 2018 regulation would be fast and easy. Unfortunately for them, the Forget Button doesn’t exist.

Man squeezed between file cabinets
Credit: Thinkstock

Several years ago, the Staples Easy Button became a popular advertising gimmick for the office supplies company. Originally just a picture in Staples ads, people clamored for a real Easy Button, so the chain made more than 1.5 million plastic buttons that repeated, “That was easy” when you tapped it.

It’s the kind of magic that company executives would like now to solve their GDPR challenge. Companies that weren’t doing a good job of data privacy protection before this new regulation face even larger hurdles now. And, there seems to be a scarcity of data privacy and legal experts available to help: at least 28,000 data privacy officers (DPO) will be needed in Europe alone.

Personal data protection laws were first established in the 1990’s. But complying with the GDPR means changes in business practices and processes on a far greater scale. Today’s common business practices, like the more sophisticated CRM programs adopted by most companies, contribute greatly to the complexity of meeting GDPR requirements. And, countless measures that companies plan to take to comply are expected to fall short in many cases.

  • According to SC Magazine, “A recent study found 37 percent of global organizations are unsure if they need to comply with the EU’s GDPR standards.”
  • Gartner research showed that, “more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.”

GDPR is catch-up compliance. The data, processes and IT environment of most companies are not structured for these requirements. For example, they don’t know which data they possess is forgettable or how to validate that the ‘forget’ has occurred.

Article 25 of the GDPR addresses the notion of privacy by design, which calls for minimal personal data collection and retention. In other words, collect only what’s absolutely needed for your business so you don’t have to create extensive measures to monitor or forget it.

How often do we all fill out online forms that seem to ask for far more personal data than they’d ever use: name, address, phone, email, age, first pet, color of your house, best man at your wedding, what type of pizza you last had, etc.?

Companies haven’t been careful about collecting information; they ask for everything even if there’s no identified need for it. Once the GDPR is in place, data protection by design will become standard when companies develop future business processes. In fact, data collection and retention processes, with privacy and security in mind, will be part of digital transformation initiatives that improve all parts of business operations, not just compliance.

But, right now, in the fall of 2017, everyone is focused on how to quickly achieve compliance.

So, how do you get started, or correct your course, if these next eight months don’t seem to give you enough time to get ready?

There are a number of people and products that suggest really large scale, cumbersome ways to reach compliance. There’s probably not enough time for these and they may represent a much larger investment than is needed.

I envision that GDPR compliance can be accomplished in just six steps.

  1. conduct a preliminary GDPR impact assessment to understand the potential impacts of GDPR and determine what processes require further assessment
  2. identify your compliance priorities … the processes that use sensitive data … and gaps where you aren’t compliant
  3. complete the Data Privacy Impact Assessment (DPIA) and describe what measures will be used to mitigate impacts
  4. implement a remediation plan that secures business processes and applications processing to support privacy rights
  5. track incidents of non-compliance and take the necessary steps to correct
  6. demonstrate compliance through key reports on processing activities, data breaches and more

With a carefully planned and structured approach such as this, along with tools that can help you carry out these steps, you may not need the Forget Button. Instead, after next May, tap the Easy Button and listen to it say, “That was easy!”