In Part 1 of this GDPR blog series, we looked at the PII threat landscape and the legal & financial consequences of technology failure. In Part 2, we highlighted the major provisions in the GDPR for technological measures to protect data. In Part 3, we examined some of the guiding principles to be considered in relation to the technological impact of the GDPR within an organization.
This post looks at the GDPR compliance timeline with regard to technological change. Of course, technology needs to be brought into planning and decision-making processes at an early stage within change programmes. It should be one of the key considerations for an organization in making decisions about meeting its requirements and mitigating the risks.
Technology projects are lengthy exercises, and even a straightforward data management initiative with a singular objective can take 3 to 6 months to complete. So, at the time of this blog’s publication, heading into January 2018, where is your organization on the GDPR compliance timeline? Is your compliance plan complete? Are you on target to meet the May 2018 deadline?
Setting the vision and strategy for the GDPR based on an assessment of an organization’s economic goals for personal data, its risk positions and its full range of obligations, is the first task. Most organizations that we have spoken to have at least got that far.
From that foundation, there are four key activities that organizations should initiate:
Step 1: Call to action to engage a diverse and executive stakeholder group to drive GDPR change
Organizations seeking to achieve GDPR compliance will need to engage multiple stakeholders across a range of functions (IT, Compliance, Legal, HR, Customer Service, Marketing, etc.) to gather the organizational backing for the changes required. In building this coalition, it is important to note that, as well as achieving GDPR compliance, the consequent improvements of adopting good data management and security principles can deliver tangible benefits back to the enterprise. These include:
- Driving commercial performance through higher quality and more accurate data.
- Greater insight into customer needs leading to improved customer satisfaction.
- Considerable cost reduction opportunities by reducing IT infrastructure footprint.
- Opportunity to simplify the applications landscape.
The stakeholder group will be instrumental in securing budgets, resources, generating urgency and clearing the path for a consolidated programme with the backing of the board and executive.
Step 2: Assess the gap between functional GDPR requirements and technical capabilities
Enterprises should undertake a technology functionality gap analysis, whereby the technology-driven requirements of the GDPR are assessed against the technology capabilities of the organization, covering the entire data lifecycle management process and its associated policies, infrastructure, security and controls. The requirements will be driven by the Principles, Rights and Build requirements of the GDPR and the gap analysis will expose deficiencies, vulnerabilities, potential threats, and areas of non-compliance.
Step 3: Prioritise and sequence the change required by executing a risk and cost/benefit analysis
In the world of technology just about anything and everything is possible. In the real world however, time and money are limited resources, and is why the only realistic way to address the GDPR’s requirements is through a risk-based approach, where the highest risk areas are addressed first and most comprehensively. Accordingly, enterprises should use the findings of their gap analysis, a cost/benefit analysis and scenario testing to identify and plan their priorities.
Step 4: Design and mobilise the GDPR transformation programme for change
A GDPR programme will be complex and transformational in nature, as it will change the way the organization’s people, processes and technology interact around the handling of personal data. An integrated transformation programme structure should be adopted. This will comprise:
- Operating model for GDPR with associated organization change
- Compliance implementation of policy, procedure and control design and implementation
- Operational change and process redesign
- Technology programme consisting of detailed design, build, test and deployment
- Management of change activities including communications, training and behaviour change
- Programme and project management to govern the programme
The role of external advisors and technology vendors
While the GDPR technology framework is intended to provide a comprehensive view, organizations will have to make difficult choices about when, where and what to invest in to provide maximum protection. While some will have the scale and resources to deploy technology covering the entire GDPR technology framework, most will assess risks differently and deploy resources in a more focused manner.
The expertise to advise on and deploy technologies will often not exist within an organization. Professional advisors, software vendors, system integrators, and IT service companies and the contractor market are resources which can plug capability and capacity gaps, especially where they bring proven expertise and understanding about the specific challenges of the GDPR.
Additional factors for vendor selection of GDPR solutions may include:
- Breadth of an integrated portfolio and interoperability with other vendors’ solutions.
- Depth of analytics embedded into the solution to drive effectiveness and efficiency.
- Proven data privacy, data security and sector domain experience.
- Simplicity in packaging, such as a modular approach to procuring and deploying solutions.
- Market reputation, longevity and roadmap for product development around the GDPR solution set.
activereach offers a three-step GDPR Readiness Technology Assessment to help get your organization better prepared for the GDPR deadline in May next year.
Step 1: Stakeholder interviews conducted by one of our pre-sales team to identify your information flows that are in-scope for GDPR. Information gathering will be conducted under mutual NDA and includes details of third-party processors, applications and infrastructure elements. The service does not include your customers/data subjects by default – but it may be recommended that you survey them as part of GDPR project work.
Step 2: An assessment will be made for each information flow to determine whether a full DPIA (Data Privacy Impact Assessment) is required and/or to identify risks and gaps in the current provision of the information system as identified from information gathered during the stakeholder interviews, combined with any documented information about IT systems and infrastructure the company can provide.
Step 3: activereach will prepare a tailored and individual report capturing the stakeholder information, and analysis and inferences, and the information flows identified. The service will assess the information systems’ readiness for GDPR compliance activities from a technological point of view. Customers should seek, separately, legal or other associated professional advice for non-technical assessments of GDPR readiness.
 Boyes Turner, July 2017, White Paper: “GDPR: Getting ready for data’s new dawn”
If you would like to arrange a GDPR Readiness Technology Assessment, please call activereach on 0845 625 9025 and ask to speak to one of our GDPR Experts.