A colleague of mine describes the GDPR as “neither a starting line or a finish line”. I like this because it offers a perspective of how organizations should approach this complicated regulation. The General Data Protection Regulation is intended to increase data privacy for EU citizens and applies to any organization that has personal data of these individuals, regardless of where the organization is located.
Even though the GDPR is effective May 25, 2018, the “no starting line” idea means that it is critical to begin planning now. Organizations should shift focus from leveraging data they collect on customers and employees to strengthening data privacy.
The GDPR isn’t the first regulation intended to ensure data privacy and it won’t be the last, which points to the “no finish line” idea. Being compliant with the GDPR is not a onetime activity. Market forces and organizational changes continually reshape the way organizations interact with customers and employees. Every change must consider privacy impacts to remain compliant with the GDPR. To ensure continual compliance with the GDPR, an organization should implement a dynamic compliance approach that includes methods to ensure privacy control when any business change is made to the organization. With no starting line and no finish line, there is no need to panic. I recommend taking the following five steps to dynamically manage this new regulation, as well as any future data privacy regulations that will inevitably be introduced:
- Fast Track Assessment – Your organization might be more prepared than you might think. A fast track assessment helps understand where the GDPR support information might exist as well as help you understand the overall readiness of your organization. Once done, the assessment provides a plan for privacy control, which according the Information Commissioners Office (ICO) is a critical starting point. It also begins to demonstrate intent to comply, which is valuable.
- Launch GDPR Compliance Projects – Some business processes, systems, and organizational roles support customers and employees directly, so it makes sense to start implementing compliance controls with these systems first.
- Build a GDPR Management Toolkit – Once key projects implement the GDPR control requirements, the methods used to implement, verify, audit, and optimize these requirements become a management toolkit. The Chief Privacy Officer, or compliance official in the organization responsible for overseeing this regulatory change, needs to understand and show how an individual’s data rights are being preserved in the processes, systems and data across the enterprise. Audit artifacts, which attest to the effectiveness of the GDPR control can be dynamically derived when needed. Executive teams receive relevant information for decisions involving the delicate balance between business effectiveness and privacy control. These benefits come from a management toolkit.
- Continually Optimize Control Management Practices – The GDPR, like all regulations, get updated on a periodic basis, requiring a reassessment of where the regulatory control requirements affect the systems, processes, and data used across your enterprise.
It is tempting to see the GDPR as an organizational headache, maybe even a migraine. However, disrupters like the GDPR provide the opportunity for organizations to evolve and become more agile. RG’s approach to data privacy is through our proprietary business analysis and requirements methodology called LINKProcess™. LINKProcess™ combines the disciplines of architecture, which provides visual perspectives of your infrastructure (systems, processes, data, people, facilities, etc.) with business analysis which ensures effective organizational change through requirements. If you address the GDPR through traceable, reusable control requirements dynamically linked to the people, processes, systems and data they govern, your organization will have an effective way to demonstrate and ensure the GDPR compliance. Adoption of LINKProcess™ shows organizational intent (no starting line) as well as organizational commitment (no finish line).
Want more information about LINKProcess and how it can help your organization?