ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > GDPR Compliance: One Step at a Time

GDPR Compliance: One Step at a Time

Steve Wright, Data Privacy & Information Security Officer, John Lewis Partnership
| Posted at 3:04 PM by ISACA News | Category: Privacy | Permalink | Email this Post | Comments (1)

Steve WrightMost of the people I speak to about GDPR are struggling with two main things.

The first one is how to interpret the GDPR text, specifically on issues like consent or new privacy rights like the “right to restrict processing,” the “right to oppose profiling,” or the scope of the “right to data portability.” The other is where to start, given the lack of detailed guidance on practical implementation.

I think these two are interlinked and have to be addressed together and simultaneously. In other words, I believe you should approach the GDPR program as a whole, and not try to separate out into different aspects or outsource the program in its entirety as some of the people I’m speaking with are doing.

My business leaders, data owners, IT architects and the CIO have all been badgering me for clear guidance or definitive policy statements, which is really hard when the GDPR text is very oblique and vague on the ‘what’ and ‘how,’ and there is no regulatory guidance or case law yet. They want absolutes – like a rule book or PCI. They want hard facts with yes or no answers. Well, this simply is not possible.

In the past, I turned to lawyers, who kept on telling me “it depends,” which is no good when you need to provide definitive or strategic direction. So instead, we got down into the weeds of the text, and I worked night and day with my in-house lawyer, a solutions architect and really good privacy analysts. Between us, we developed the GDPR Framework and the Privacy Playbook.

The GDPR Framework is like it sounds, a concept model – a framework by which the architects and business could start to consider from a system or process perspective the impacts of “the minimum rules.” The Privacy Playbook allowed us the flexibility to develop, amend, collaborate and interpret the text and conduct ‘what if’ scenarios that helped shape crunch decisions that were needed by the business, so that they could get on with business planning (impact vs risk). The decisions were captured as policy decisions, to ensure the full impact of changes could be considered and absorbed by the business.

So far, this collaborative approach has worked out well, as now we are drafting a consolidated version of the Playbook – with the minimum outcomes necessary to comply. We have completed the discovery exercise to understand the current proliferation of key data sets, and we are considering the full implications (and options) of what ‘good’ GDPR compliance looks like.

The board is now on board, and the path to compliance is clearer to get us to our compliance milestone of May 2018.

One thing is for sure, the only way to get there is by taking one step at a time.

Editor’s note: For more on GDPR, register for the 14 September webinar, “How to Jump Start GDPR with Identity & Access Management.”


EU GDPR compliance is not as complex as some claim

The EU GDPR is simply the continuation of the previous privacy laws from 1993 within the EU. Around 80-90% has remained the same, so not many things are new in this EU GDPR.  The main driver for EU GDPR is uniformity within the EU.
Personally, I have read the complete EU GDPR and the clarification documents by the European Commission.  I do like the readability of the documents (no legal texts) and I recommend people to really read the text instead of being scared the living daylights out of them by consultants and other gurus. 

The EU GDPR is not a framework but a regulation which is voted and approved and will turn active as of Friday 25th of May 2018.  Obviously organisations can ask their questions to their Data Protection Authority in their country for free.
Most Data Protection Authorities are providing more detailed guidance but obviously one has to look for it.
And as always, everyone will learn from incidents after May 2018: organisations, regulators, governments and the EU. 
I hope we can keep privacy in a positive light since that what it deserves: protecting the personal information from citizens / customers with proper care.
Marc Vael at 8/18/2017 2:32 AM
You must be logged in and a member to post a comment to this blog.