Most of the people I speak to about GDPR are struggling with two main things.
The first one is how to interpret the GDPR text, specifically on issues like consent or new privacy rights like the “right to restrict processing,” the “right to oppose profiling,” or the scope of the “right to data portability.” The other is where to start, given the lack of detailed guidance on practical implementation.
I think these two are interlinked and have to be addressed together and simultaneously. In other words, I believe you should approach the GDPR program as a whole, and not try to separate out into different aspects or outsource the program in its entirety as some of the people I’m speaking with are doing.
My business leaders, data owners, IT architects and the CIO have all been badgering me for clear guidance or definitive policy statements, which is really hard when the GDPR text is very oblique and vague on the ‘what’ and ‘how,’ and there is no regulatory guidance or case law yet. They want absolutes – like a rule book or PCI. They want hard facts with yes or no answers. Well, this simply is not possible.
In the past, I turned to lawyers, who kept on telling me “it depends,” which is no good when you need to provide definitive or strategic direction. So instead, we got down into the weeds of the text, and I worked night and day with my in-house lawyer, a solutions architect and really good privacy analysts. Between us, we developed the GDPR Framework and the Privacy Playbook.
The GDPR Framework is like it sounds, a concept model – a framework by which the architects and business could start to consider from a system or process perspective the impacts of “the minimum rules.” The Privacy Playbook allowed us the flexibility to develop, amend, collaborate and interpret the text and conduct ‘what if’ scenarios that helped shape crunch decisions that were needed by the business, so that they could get on with business planning (impact vs risk). The decisions were captured as policy decisions, to ensure the full impact of changes could be considered and absorbed by the business.
So far, this collaborative approach has worked out well, as now we are drafting a consolidated version of the Playbook – with the minimum outcomes necessary to comply. We have completed the discovery exercise to understand the current proliferation of key data sets, and we are considering the full implications (and options) of what ‘good’ GDPR compliance looks like.
The board is now on board, and the path to compliance is clearer to get us to our compliance milestone of May 2018.
One thing is for sure, the only way to get there is by taking one step at a time.
Editor’s note: For more on GDPR, register for the 14 September webinar, “How to Jump Start GDPR with Identity & Access Management.”