First question I get is ‘where do we start?’. Question 2, is ‘how do we do this?’.
Clearly managing compliance with data protection laws as they stand today will not work after 2018 because: 1) it will not scale, and 2) the work of privacy compliance has migrated, or taken on a new guise within the organization.
Some organizations have been lucky, they have heading their compliance office a legal guy/girl who has been running a legal compliance program for some years and just gets it. They have a hi-breed of competences in their team, legal and infosec compliance. You don’t need to explain to them, they normally know where to start, and if they don’t, they know who to ask, they are creative, and have managed to find a way forward, they’ve secured budget and they are running already in 2016!
However, there is still the scalability problem. If you can imagine each organization, depending on size will need to build an inventory of their data-assets, and a selected few (following a threshold test) conduct Privacy Impact Assessments. Some organizations could have 100s of data-assets, and they all need to be listed. Even if you only need to conduct a PIA on 10% of these, you are still looking at 5-100 PIAs, really depending on the size of your organization. For each you can expect to take between 4-8 weeks to complete. After the initial PIA, you still need to allow for the organization to fix what is lacking. The first 3-5 will take the longest. If you bring in an external consultant, they need to learn your business, if you decide to do yourself, you need to learn how to conduct a PIA.
The only way forward which I see is to productize in some way the inventory and the PIA. Do it in a way so that you can trigger alerts to data-asset owners, i.e. which each should provide information on data-assets their department processes. Trigger the initial ‘call for data-assets’ inventory from every department across your organization. Create common PIA templates which fit common themes in your organization. From here ‘tag’ data-assets and linked attributes in a way so as to give views of privacy, i.e. by geography, by owner, by sensitivity, by system. These views will give you a ‘heat-map’ of your privacy landscape fed up to the Privacy Program level.
Don’t buy products which start with assessing risk, these are repackaged infosec compliance and risk products. Choose products which start at the data-asset. Beware of consultants which start by assessing personal data in systems, and listen to those which start with assessing the data-asset.
Think about it, a single data-asset can be spread across multiple systems. Take a wearable, as an example, there is the personal data collected by the device and the personal data collected to register the device, the entry-points are different, however they are normally linked to the same data-subject, unless the wearable is for a minor and parental consent is required. I organize this example as a single data-asset with 2 data-sets, and tag the data-sets by geo, IT-systems, etc.
Don’t forget that how you organize the inventory of your data-assets should be organized around the data-subject, in order to be most effective in responding to the Rights of the Data Subject in the GDPR!