There is a mad GDPR panic now. All those companies which haven’t started, or started very late, i.e. end of 2017 or beginning of 2018 are starting to realise that GDPR is not about security, or about fixing the privacy notice, or even responding to the rights of the data subject. It’s much more. It’s about doing it right. It’s about doing what should have been done before in order to benefit from business efficiencies.
Of course, they are starting to realise for example, that in order to achieve the 72 hour personal data breach notification requirement, that an incident management process needs to be in place and effective. That in order for this to work, even if you are using ITIL/ITSM the industry standard in incident management, it’s useless if you haven’t fixed your logging, i.e. what are your systems logging, how is it captured and correlated into something which means something. If you haven’t a baseline on what is ‘normal’, how do you know what is an anomaly?
The problem of testing on live data, not anonymised test data has reared its ugly head. How far can you go to anonymise before you lose utility? Or maybe pseudonymisation is the way forward, and then the test environment needs to adhere to the same GDPR demands as production.
In order to control the flow of personal data, they are starting to realise that you need to think on how the business process flows, over internal operations and processors. What are your processor agreements looking like? Have you placed strong requirements in the form of SLOs and metrics into your contract?
And, in order to achieve data protection by design, by default, every employee needs to know what is personal data, what is processing, and why should they care? This is needed in order to capture ‘invisible personal data’. Personal data which is being collected and processed by employees, and even they don’t know they are doing it wrong.
The challenges are multifaceted, and every company has different priorities depending upon their business, and how they have evolved. For example, why spend time getting legal to review a 100 contracts for GDPR compliance, when maybe you should be looking at how your business grew, was it through acquisitions? In this case maybe it’s time to look at taking a central governance approach to how you do business from here-on?
GDPR is a change management journey, it is about people, processes, and in the best situations, it’s about empowerment of every individual, and every nuance of business operations. It is enablement. It is a time to think new, and do it right!