GDPR compliance mandates can be tricky to interpret for companies handling advanced technology. For leaders in tech, it can be tempting to look at the new rules laid out by Europe’s GDPR and seek a simple, one-size-fits-all solution to the problem of sustained compliance. As any good CISO will tell you, however, such solutions do not exist. Instead of approaching the GDPR as a box to tick, a hurdle to jump, or even an eloquent privacy agreement with an anxious little ‘I agree’ button at the bottom, it is best to see GDPR compliance for what it truly is – a process, not a product. The price of not doing so can prove as much a threat to a company’s competitive advantage as it is to its ability to avoid those 20 million euro fines.
The Current Perception
Proof of perception impacting preparedness can be found everywhere. Often presented in the form of regulatory horror stories, it is perhaps little surprise that the rollout of the GDPR has caused many businesses to react with a mix of fear, frustration, and at times, outright confusion. This mindset has already led to bad results. With half of affected companies predicted not to be fully GDPR compliant by the end of 2018 and 60% of affected US companies being unprepared, it is painfully apparent that a fog of reluctance still hangs in the offices and meeting rooms of more than a few vulnerable firms. Companies interpreting new mandates as something that can be cleaned up with a bit of legal paperwork and some new privacy updates is a mistake. In fact, practical measures for integrating the compliance process into daily operations will make businesses more competitive, rather than less.
The Scope of Work – Beyond Only Tech
Whether collecting user consent, appointing a DPO, or identifying sensitive data, this consultancy recognizes that each company has different needs in terms of GDPR compliance, and each case involves its own unique scope of work that must be identified. GDPR compliance is about tech, but it’s not all about tech. When we first speak with companies, we are looking to understand several other important factors before diving into their use of technology. We initially need to map out the scope of their compliance issues. Some companies are well on their way, but other companies have problems that go beyond the GDPR. In these cases, going through the compliance process can help with planning projects, communicating across teams, and measuring long-term success. If you can measure key performance indicators, you can be GDPR compliant.
Regardless of company size, sector or current compliance needs, these are the four primary questions we ask ourselves as we begin providing support to the compliance processes of the companies we work with:
What has the company done before in service to data protection?
Does the company have methods in place to secure the privacy of their customers, or is data being collected without a consistent plan for what will be done with it later? Has the company considered the human, as well as the financial cost of data breaches? Do they have team members who understand, through lived experience, the security concerns of their customers? The more complete the answers to these questions, the more beneficial any risk assessment will be to the company.
Is the company’s leadership willing and able to make necessary changes?
Data protection may require a change in business practices, and some team leads may not be at ease with the pace or direction of such changes. Data protection may necessitate changing vendors, hiring a Data Protection Officer, or spending time on training essential staff to meet new challenges. All of this costs time and money, which must be accounted for. Someone with the authority to devote resources to compliance needs to be willing, or else there will be significant delays to the compliance process.
What is the company’s management structure like?
What sort of project management processes have been adopted? Are there any processes in place to deal with time-sensitive issues? What are they? When employees spot problems, is there a defined process for reporting their concerns? How does the team usually respond? Companies that ignore critical vulnerability reports may be in for a shock when they read about the responsibilities of a Data Protection Officer, including being a point of contact for Data Protection Authorities that must be notified about breaches even when there is no customer impact.
What role should software play?
Many companies may be familiar with a particular kind of software that they would like to use in order to keep their compliance protocols consistently monitored, maintained, and documented. For these purposes, software can be fantastic. It can scan large systems of data, support project management goals, assist in data-mapping, and streamline certain administrative tasks. That being said, even the best programs cannot train your people, design your products, or configure your data collection practices to automate subject access requests. Here, human-led procedural oversight must be instituted. Software can enhance well-established compliance practices – not replace them.
Continuing the Process
When it comes to GDPR compliance, perhaps the easiest thing to lose sight of is the fact that just like technology, the law is constantly evolving in response to people’s wants and needs. Keeping a vigilant eye on existing procedures and being transparent to customers about data usage is something that any capable company should already be doing – even without the GDPR. But more must be done to maintain compliance through an ongoing process. As technologies reliant on Blockchain or Big Data continue to develop, so too must our understanding of how to implement compliance within new platforms and services.
At present, we must relegate thoughts of data protection as a one-time event to the cobwebbed catacombs of a pre-GDPR world. New laws outside of Europe demonstrate that the public demand for privacy isn’t going anywhere. Companies that rise to the occasion and recognize GDPR compliance as an ongoing process in service to their customers rather than a patchwork appeasement product for regulators will have everything to gain. It appears no agree button can offer that yet.
To stay up to date on how GDPR affects technology, follow TechGDPR on Twitter.