In these days of romanticizing ready-FIRE!-aim as it relates to entrepreneurship and product innovation, I’ll stand up and voice my concerns when it comes to using this as a compliance strategy for GDPR.
The General Data Protection Regulation (GDPR) is a sweeping regulation that will likely have a major impact on most companies—except for those few who have absolutely nothing to do with the personal data of residents of the European Union. Chances are you have already read all about GDPR, so I won’t explain it here (and besides, that’s best left to your legal team). But think of it as SOX on steroids but with a data privacy and protection focus.
Given the siloed world many of us live in, chances are that your company deals with the introduction of each major regulation as a one-off event. Depending upon the focus of the regulation, the company may do a quick evaluation to say, “Yup, it applies to us” and then assign responsibility to the department that is most involved. For example, SOX was probably initially assigned to the financial accounting folks, until management realized it wasn’t just about getting the debits and credits right—instead, it involved tightening up a variety of activities that spanned many groups and departments from the CEO on down.
I’m a bit concerned that companies may be approaching GDPR compliance in the same way. That is, start a spreadsheet, toss GDPR to various IT owners, let them buy and implement whatever they need, and call it good. After all, if you pour enough technology on it, it should be easy—right? But there are more than a few problems with this approach:
- First, GDPR isn’t just about technology. It includes technology, sure, but includes also people, processes, and even company attitudes towards the protection of data.
- And while there is a myriad of vendor offerings to help with GDPR, there is not now and likely never will be a single, comprehensive tool set that does it all. There is no magic “GDPR in a box” solution, alas. So, sending IT on a quest to find this mythical solution is not likely to be a rousing success.
- Besides, without first carefully evaluating GDPR requirements and assessing your gaps and challenges, how can you possibly know when you have found the right combination of solutions for your company? Is a spreadsheet along with numerous e-mails enough to prove that you are compliant?
- Also, how do you know that various risks and controls surrounding GDPR will be assessed the same way for a consistent, effective, and sustainable approach?
Take Aim at GDPR Compliance
So instead of a ready-FIRE!-aim approach, I propose instead taking the extra time to aim by:
- Carefully analyzing the regulation to determine which specific requirements apply to the company
- Fact-finding to understand the situation today—which systems, data, processes, policies, contracts, and people are related to GDPR compliance
- Comparing the detailed GDPR requirements vs. your as-is state to determine what gaps exist
- Creating different workstreams to investigate and fill those gaps
- Documenting what you are doing as you go along so you know where you stand and can evaluate your progress
- Focus on creating sustainable processes and practices, not just one-time quick fixes. There is no indication that GDPR will go away any time soon.
I am personally a fan of having several workstreams working concurrently. For one thing, GDPR goes into effect on May 25, 2018 so there is not much time left. And there is no reason why one team cannot be working on updating policies and related education materials while another team is implementing software to help locate and correlate personal data elements. So a multi-workstream approach can be beneficial and, depending upon how far along you are with GDPR compliance, it may be the only approach that will help you be compliant on time.
Don’t underestimate the GDPR requirements for being able to provide evidence of compliance and demonstrating accountability. A ready-FIRE!-aim approach isn’t the best way to do this (no surprise!). And having a software solution to document risk assessments, evaluate controls, monitor systems, and provide the reporting that your Data Protection Officer (DPO) needs can be a huge step up from spreadsheets and e-mails.
On a related note, if you are one of the many companies who may not be 100% GDPR-compliant on day one, generally held opinion (not legal fact) is that being able to demonstrate strong good faith efforts will go a long way…. So, having a clear idea of where you are, where you are going, progress made, and priorities for continuing are key.
In short, compliance with GDPR should not be a one-time unilateral project but instead needs to be a sustainable enterprise-wide process. If you are using a ready-FIRE!-aim approach, it’s likely you’ll end up missing the target.
Read all the GRC Tuesday series blogs on GDPR to learn more.