A previous posting in our series of articles on the European Union’s General Data Protection Regulation (GDPR) asserted that – more than anything - GDPR is a business problem.
This is certainly true if only for the fact that it is the business that will suffer tremendously if the company hasn’t managed to get its GDPR house in order before the May 2018 deadline. And even though modern school of thought says NOT to throw technology at a problem, it would be a grave error not to. And while I’m at it, let’s also throw people at the challenge although that’s also a no-no in problem-solving. Why am I advocating this for GDPR?
Let’s take a look at the people issue first; there are many people in the organization that have a stake in GDPR. Here are some obvious (and maybe some not-so-obvious) ones and their role in GDPR compliance:
- Data Protection Officer: formally mandated by the EU to oversee the GDPR compliance program
- Enterprise Architecture team: the “big picture” people who piece the distributed and diverse business and IT landscape together into one, cohesive portrait of data stores and processing activities
- IT system and business process owners: the go-to guys and gals to get the skinny on the GDPR-relevance of their applications, technologies and processes
- IT security SMEs: they know the appropriate means for securing sensitive data and applications
- Compliance experts: interpreting regulations into action initiatives is their daily bread
- Risk managers: balance the damage potential and probability of occurrence of a GDPR-related risk to recommend appropriate mitigations
- Auditors: our internal and external compliance watchdogs
- Project managers: are in-flight projects GDPR-relevant and in need of re-scoping?
- IT planners and strategists: a one-off GDPR compliance project isn’t enough; GDPR compliance will live and breathe even after May 2018. Compliance must be built into future business and IT solutions
- Business planners and strategists: they will find a way to do business despite GDPR limitations; the most innovative will leverage GDPR to get personal with their customers on their personal data protection preferences and offer products and services targeting those preferences
- CEOs: foot the bill and will most likely have to vacate their seat for severe non-compliance on their watch
And there are so many more: HR, marketers, tech support, QA and on and on the list goes. These people all have their little piece of the enterprise for which they have the knowledge and insight on what’s right for GDPR compliance. They each have a role to play and need a technology platform to let them do it. GDPR requires an “all do some” approach as opposed to “some do all.” A collaboration platform is key.
So we can already see how people and technology are related in the GDPR compliance issue. But let’s look deeper into the technology. Because personal data is, for the most part, digital and because it is usually stored and processed in IT systems, only a technology-driven solution will be able to provide the insight into and manage the governance over the disparate data pieces.
Without technology how will you:
- Know which is personal data, how it was captured, and where and how it is processed and stored
- Classify systems, processes and data as GDPR-relevant
- Gather required information from data stewards and application owners
- Make the connection between processes and their supporting IT systems to better understand what the touchpoints are with customers and employees
- Make the connection between the data stored and the applications that process it to be able to check for accuracy, minimization and retention time
- Quickly provide information on purpose of processing, recipients, intent to transfer, retention period and automated decision making (“profiling”)
- Understand data movements in order to correctly understand the ramifications of a data breach
It’s a lot! So YES! Throw people and technology at GDPR – hard and fast (hard because it’s a critical issue and fast because the deadline is looming). It will take everything you’ve got to beat that deadline.