One of my all-time favorite scenes in the Simpsons is when ‘Dr’ Nick Riviera is having his medical judgment called into question. Instead of proving his own credentials, he casts criticism on everyone else in the room and finishes with – “So you’re not a doctor, he’s not a doctor – in fact, the closest thing to a doctor in this room is me.”
Welcome to GDPR (aka, the new European Union General Data Protection Regulation). Everyone is concerned about it because it includes potentially huge financial penalties – and ignorance will be no defense. Everyone has an opinion, but in truth there is no single certification or qualification that can inform any enterprise on both what the GDPR regulation requires and how to re-engineer organizations to efficiently meet those demands.
You may be a lawyer who really knows the regulation. You may be a CIO who knows how to engineer data. You might even be a data privacy expert who understands the specification of processes that need to be implemented. The truth is that if you really want your enterprise to be able to cope with GDPR, you will need a team effort – and input from a wide range of experts.
That is a costly exercise for most enterprises, who often find themselves with substantial gaps between their current practices and where they need to be. GDPR is not something that can be solved by a single person, or even by a single project. The requirements have far-reaching implications into items such as:
- What personal information does our enterprise need to have?
- What personal information could we consider not handling or storing?
- How do we re-engineer our access management, subject access rights processes, consent and notification procedures to be more efficient?
- Can we consolidate or retire technologies that will not be cost-effective to make GDPR compliant?
- How do we approach managing suppliers and subcontractors that may hold or access personal information that our enterprise is responsible for?
The first piece of good news is that there is a wealth of FREE information on how to understand the compliance requirements. For example, this is from the UK’s Information Commission Office. However, understanding what needs to be achieved is less than half of the problem: experts who understand the regulation are ten a penny – but practitioners who understand how to efficiently engineer appropriate compliance solutions are currently a much rarer beast.
For that reason, ISACA has pulled together a list of some of the main tips that can help any enterprise to tackle GDPR:
Tip 1: Do not underestimate how complex the GDPR compliance changes required will be
The scale of your GDPR compliance challenge will reflect three factors: the size of your enterprise; how much personal information you choose to handle (and in how many different applications); and how ‘expert’ your enterprise already is with meeting data protection regulations.
Small companies, or organizations dealing with a limited amount of employee data, may be able to address GDPR requirements efficiently. However, the more types of personal information (customer, employee, sensitive), and the higher the number of software applications they are used by, the larger the compliance challenge will be.
Tip 2: If you have multiple applications handling personal information, a single project cannot fix your compliance issues
Why not? The simple answer is that meeting GDPR requirements requires efficient delivery of many processes, including subject access requests (the ability for people to write in and get a copy of the information you hold about them), data correction and more.
If you were to allow each application to work out a solution to the requirements, when any of these requests arrived, they would need to be split into lots of different work packages, which would cause an unmanageable and inefficient operational workload.
Now imagine if you ran an effective programme to meet those same requirements, you should have ended up with an ability to meet any requests for information or changes more efficiently – through a single process.
For example, perhaps by moving all the personal information into a master data warehouse and leaving the other applications just to read from it. As another example, implementing a central identity and access architecture that correlates data subject identities can allow different systems carrying information about the same person to be easily identified.
Tip 3: It’s all about the engineering
You’ve almost certainly heard of digital transformation and are probably experiencing it first-hand. The reality is that technology is moving so fast, that most of the software solutions we use today will probably be replaced by something different within three years.
You may also know about the statistic that it is actually cheaper for any government highways agency to build a completely new three-lane freeway than it is to keep an existing two-lane road and add a third lane. The reason it is cheaper to replace rather than extend is because the original structure probably is not fit for the expansion.
Many of our business operations and the software that supports them are very much like this. If you take the business requirements and add in the compliance requirements, a good business engineer will probably be able to replace your systems with faster, newer technology quicker and more cost effectively than trying to bolt the additional needs on to legacy applications.
Having audited so many enterprises, it has been my repeated observation that the organizations with the best process engineers have not only the best processes but are also the most agile and profitable.
So, if you really want to solve GDPR efficiently (and you have a large enterprise), find yourself an excellent compliance expert, business process engineer, technical architect and programme manager.
The challenge for many of us is that we may not easily be able to afford the range of skills we need for a GDPR compliance team. Some good news is that ISACA has been working on creating new GDPR resources, including the near-term release of an implementation guide.
Finally, it is worth remembering that GDPR compliance is only applicable to organizations that choose to handle information about EU citizens. However, as was pointed out to me in a recent webinar, there are other regulations covering personal information, and they are mostly headed in the same direction. For all but the smallest organizations, GDPR is not a solo project. It requires a team effort and substantial upgrades to business operational processes.