GDPR has been a massive topic of discussion in the Security, Risk and Compliance industry since last year. However, many organizations – large and small – are still struggling to grasp what it could mean for them and how to adapt: They find it difficult to figure out exactly what to do, and feel cornered between a real avalanche of – often conflicting – advice from tech vendors and consultants, and the type of generic guidance currently being produced by regulators.
Old habits die hard and many firms are defaulting to ready-made approaches and legacy ways of working by giving the 'problem' either to the Legal department or to the IT department to sort out. Those two positions could lead to serious issues:
- Lawyers may not understand fully some complex technical aspects of GDPR compliance (e.g. the capability you need to build to meet the demands of the 72h rule) and may have the tendency to stick to what they know best (e.g. contracts updates), pushed in that way by some of the regulators checklists.
- IT people could follow the path of least resistance and allow themselves to be pushed by countless vendors and look for the magic technical product that would make the problem disappear…
Those approaches just perpetuate the 'tick-in-the-box' practices that have been prevalent for too long in that field, and few companies seem to have a clear understanding of the fundamentally transversal nature of “security by design” and “privacy by design” principles at the heart of the new regulation.
It is true that achieving some form of real compliance by May 2018 will be complex, expensive and painful for those firms which are waking up to these issues today after decades of ignorance, denial or lip-service.
Amongst those, some seem to have entered a 'wait-and-see' game, either with their heads firmly stuck in the sand (“it doesn’t change anything for us; we only have personal data in HR” …), or truly scared by the human, cultural and financial costs they would have to face and the transformational effort they would need to put in place to reach a genuine degree of compliance.
They seem to believe that nothing will really happen after all, and that should something happen, they’ll just have to deal with it and fix it.
These are dangerous approaches in the context of the increased powers that will be granted to regulators by 25th May 2018 and they also miss the point which, as the UK ICO recently pointed out, is to put 'the consumer and the citizen first'.
All that in a context where society at large is becoming more and more sensitive to these issues, and poorly handled media coverage could devastate brand equity and reputation.
The right way forward
Once again, for those who want to make real progress, the key for now is not to panic, to start by analysing their current level of maturity around data privacy matters and to build a GDPR alignment roadmap that matches their own priorities and their own resources, looking towards the 25th May 2018 and beyond as necessary: There are things that will be achievable by next year and things that will take more time. This must not become a box-ticking exercise, and will be a matter of cultural shift for many firms: There is no magic product or magic checklist that is going to make you GDPR compliant in 6 months if you are truly starting from scratch today.
As many organizations enter their 2018 budgeting cycle, they will need to ensure that the right amount of resources is put aside and ring-fenced. But the problem goes far beyond financial resources and FTEs: It is key to ensure that internal sponsorship is at a level high enough to be audible across silos (legal, technical, operational) and across the firm (business units, geographies, key external partners), and to make sure a governance structure is put in place that will track alignment progress efficiently and effectively.
As we have pointed out before, evidence of strong management backing and a genuine trackable long-term approach towards putting in place the 'privacy by design' principles which are at the heart of the regulation, should always play in your favor with regulators, irrespective of the actual compliance challenges you may be facing.
The key is to break from old habits, take all this seriously and start putting 'consumers and citizens first'.