GRC Tuesdays: “Ayurvedic” GDPR
At around 11 months before the General Data Protection Regulation (GDPR) or Regulation (EU) 2016/679 becomes effective, how are things looking in the market place?
GDPR is a topic I’ve been working on for some nine months as part of my role. This entails a lot of reading and research, talking to many, many customers and peers on the topic, learning what they are doing, and assisting customers with an approach to an end-to-end compliance capability. (Read our other GDPR articles.)
Beware of Misleading Comments
I’ve seen a number of misunderstandings and misrepresentations for GDPR that worry me. For example, I’ve seen it stated by others that GDPR requires data to be encrypted. Or that data centres have to relocate from the United States to the European Union to be GDPR compliant. Both are untrue but contain just enough similar wording to GDPR to make it sound plausible. This reminds me of the story about someone suffering with up to 17 headaches a day and how that was resolved (but more on that a bit later).
Part of the problem is that vendors and agencies are bending the meaning of GDPR to suit their niche functional capabilities. I have also noticed a laziness when they don’t actually read the GDPR but instead use someone else’s interpretation and/or summary points to develop a feature map and collateral. So, for example, software being positioned (and possibly purchased?) is a few levels of separation and interpretation away from the real GDPR requirement.
In addition to being wrong and confusing, this can also lead to a plethora of disconnected niche pieces of software cluttering up the enterprise, while not really addressing the needs of the actual regulation.
Give It a Go—Read the GDPR
The GDPR is not the most riveting read, true, but it’s actually quite well structured. And if one takes the perspective of its intent—to protect people’s personal data from accidental or institutionalised misuse or loss—it makes a whole lot of sense. You don’t have to be a lawyer to understand that intent.
I was at a seminar recently and a representative from the supervising authority for that member state reflected that their GDPR experts were being poached by industry. They also pointed out that GDPR was an operational exercise not a legal one, so lawyers alone wouldn’t be enough to determine a corporate response.
Pressure to Sell Drives Confusion
Software companies want to sell licenses and they want to get into the market quickly, so they need to enable their sales teams to articulate why their GDPR story is better than their competitors. There is pressure to sell and to simplify the message.
But GDPR in its full extent is not that simple, and it touches a very broad range of roles in an organisation as well as different levels. Legal, finance, compliance, audit, IT, security, training, as well as the board of directors, all own a slice of the GDPR pie. Combinations of technical tools plus ongoing sustainable process governance and cultural change are required
Because of the breadth of GDPR, the majority of vendors in this space can only offer niche solutions. This sometimes makes it difficult for them to add any real substantive contribution to GDPR compliance. But they still try to find some storyline to hook into.
The diagram above is a way of interpreting and delivering a core set of GDPR requirements that can be operationalised via a single solution, as part of a centralised corporate response to GDPR. It has been crafted around the regulation itself as the source of truth. The solution can be integrated with other new tools and legacy systems to deliver a coordinated and centralised view on GDPR compliance.
I believe software vendors have a duty to go back to the regulation and read it, then determine how their software meets the requirements, and clean up their messaging. We’re less likely to get misleading statements, less likely to induce customer GDPR fatigue, and more likely to aggregate around approaches that benefit our customers.
GDPR Requires a Holistic Approach to be Effective, and to be a Value Add
Now back to the person with the 17 headaches a day. Significant testing was done of the head, blood, hormones, enzymes and so forth focusing on solving the problem of headaches. After quite some time a holistic doctor was engaged who approached the problem from a whole-body perspective, not just focusing on the head. They discovered a misalignment of vertebra in the spine plus a way of life that lead to constrictions in the spine resulting in the headaches. Much like the Ayurvedic approach to medicine which has the belief that health and wellness depend on a delicate balance between body, mind, and spirit.
GDPR needs to be addressed with the same contextualised—whole body—approach. Organizations shouldn’t be acquiring and implementing niche tools to tick off stated problems as presented by third parties, but should be taking a holistic approach to rolling out the business change that is required by GDPR. Yes, this includes software, but also a permanent cultural shift in how the organisation thinks about and handles personal data.
So what is required? Good software focusing on technical GDPR requirements (which does include encryption but also pseudonymisation and other appropriate technical measures), governance of the GDPR compliance processes, and ensuring the necessary cultural change is pushed out into the business. In other words: better corporate body, mind, and spirit.
If done well and thoroughly, these are the same activities that will deliver benefits like:
- Reduced cost of compliance (not just GDPR) and likelihood of a fine
- Reduced organizational and individual risk, linked to business planning and mission
- Good data governance
- Reduce cybersecurity risk and reputational risk
- Smaller, better organized IT toolset
- Cleaner user privilege administration
- Greater organizational agility