GDPR readiness – all the noise around and some insights from the field (did the fines drive it?).
Rising wave of noise around upcoming GDRP, more and more in hysteric tone seems to reflect evidently poor state of private data protection today. Great deal of the revelations shared these days regards GDPR is about obvious things that are (or at least should be) very well-known and already live based on the law we have for more than 20 years – means local laws in every EU country caused by directive 95/46/EC! Conclusion is clear: noise triggered about GDPR coming to rule in May discloses lack of compliance today.
The majority of this noise is a bit exaggerated but voices from the field confirm that there are gaps against current regulations among organizations within EU and in an outer space (those who do business within EU).
Let’s take one example: there is a lot of talk today about required by GDPR consent (in case no other lawful base) and the right to revoke it and be forgotten. But this is required already by the directive today – here part from 95/46/EC: “Article 7 Member States shall provide that personal data may be processed only if: ( a ) the data subject has unambiguously given his consent; or ( b ) processing is necessary for the performance of a contract (…)”. Moreover, this consent has to be straight and clear and based on instruction containing i.a. of where and how these data is going to be processed.
Candidates applying for the job are one of cases for the above where processing definitely needs explicit consent from a subject but in practice still this kind of data is processed without a consent or without compliance with the consent.
Modern HCM recruitment solutions like Success Factors are equipped with features of consent and all around needed for compliancy. However, in practice data is often processed outside these solutions like CV’s cruising in form of attachments to an e-mail or even as a hard copy. This is because people are not aware that taking this kind of data outside may create big risk like of leakage.
Going forward imagine how to apply the right to revoke the consent and to be forgotten? Solutions like SF have a mechanism to remove the data but how to execute it with emails and many copies scattered everywhere?
All in all, it looks like the current regulations have been rather poorly Implemented so far☹.
But why – if that has been known for more than 20 years – there is so much noise around it right now? This is a bit funny part of the story as it seems that the defined high threshold of fines in GDPR did it!
Let me sum up in an optimistic way: even if private data protection is a completely new discovery for many, which is bad because of the above, it is still possible to turn it around fast. A kind of an organizational change management project is a must here and it can be performed agile or worn in a bit formal structure like discover/realize/execute/deploy.
Data protection and GDPR is lined up with many standards and workstreams within every organization today making it very simple – like data governance and ITIL. The GDPR should be deployed as a kind of template across organization and IT is natural unit to handle it – IT as information technology and not narrowly treated as boxes and networks only.
Modern ERP’s with all complementary (like S/4HANA, Success factors and hybris etc.) make it quite simple as there is a clear structure and tools ready to go with GDPR – here the link for your convenience: https://discover.sap.com/gdpr/en_us/index.html#
Momentum is right and OCM project may be very welcome by any organization under these circumstances. GDPR is worth being loved – it is a chance for all of us to make IT technology more humanistic and bringing business on better social safety level!
Will talk about on: https://wiki.scn.sap.com/wiki/display/events/SAP+Inside+Track+Wroclaw+2018