Guest Author: Michael Rasmussen, GRC Economist & Pundit, GRC 20/20 Research LLC
I love sailing. It has fascinated me since I was in high school, but only recently have I taken up learning to sail. While I have not sailed across an ocean, I have read many accounts of sailors getting stuck in the doldrums. The area in both the Atlantic and Pacific Ocean near the equator where there is a low-pressure zone that creates a condition of little to no wind. A sailboat is virtually stalled and stuck.
When pondering GDPR compliance solutions this morning at a coffee shop in London, I was thinking of the doldrums of compliance. That point when organizations tend to stall and become neglectful and stop moving forward with compliance. This often happens shortly after the regulation launch date. Organizations moved with some momentum to work toward GDPR compliance and made progress, but once the GDPR compliance date passed, businesses got distracted with other things and failed to maintain the same levels of momentum and GDPR compliance.
In year one of GDPR compliance, up through the initial compliance deadline of May 2018, I saw a lot of organizations make great strides in addressing GDPR. They did the foundational components, but many have stalled on the follow through. These organizations did well in:
- Appointing a Data Protection/Processing Officer
- Defining and communicating policies and training for GDPR
- Documenting data flows and processes
- Conducting data privacy impact assessments
- Implementing, monitoring, and assessing controls for GDPR
- Establishing incident response procedures
The challenge is the business is dynamic. It changes minute by minute and second by second. You may have been on top of your GDPR obligations on May 25, 2018 (on your journey to GDPR compliance), but the organization has changed significantly over the past six months which may mean standards have slipped. Processes have changed, business has changed, employees have changed, third parties have changed, your customers have changed. Compliance management, particularly to something like GDPR, has to be continuously managed and monitored in organizations. It is not a point in time effort but one that has to be addressed in the context of change. Personal data is pervasive across the data and processes of an organization (e.g., employee data, customer data, and sales data). Privacy management is about identifying and mitigating the compliance, brand, and business risks associated with processing personal data. It is about managing risks across the full lifecycle of data in an organization and its web of processes, transactions, relationships, and interactions.
Furthermore, while there was a lot of progress and compliance solutions on GDPR, I have not seen full execution by organizations on the principle of Data Privacy by Design that is in the regulation. This requires an ongoing function that ensures that each new service or business process that makes use of personal identity information within your organization must take the protection of such data into consideration when designing new or updating operational processes and technology builds.
Another area of GDPR compliance that has not received enough attention in organizations is third-party risk management. Many data protection breaches happen with third-party relationships (e.g., vendors, contractors, outsourcers, law firms, and service providers). Organizations need to make sure their third parties are GDPR compliant as well and follow strict policies and controls that are aligned with the organizations’ policies and controls. These data processors now have legal liability under GDPR and have direct legal compliance obligations. One additional requirement is the Data Processor cannot use a ‘fourth party’ to process any personal identity information without obtaining prior authorization from their client (i.e. data controller).
GDPR compliance (and all of its elements) is a process that needs to be continuously managed in today’s distributed and dynamic organization. It is not a point in time effort, but one that has to be in sync with the business as it evolves, adapts, changes, and morphs. Doing this in manual processes with documents, spreadsheets, and emails will only lead to gaps, errors, and eventually significant issues of non-compliance resulting in potential penalties.
The other challenge is that GDPR is not alone. California’s Consumer Privacy Act (CCPA) is around the corner with very similar requirements. GDPR, CCPA, and other compliance regulations are here to stay, and organizations require a defined and ongoing process to manage all aspects of privacy compliance.
Organizations need to build sustainable GDPR compliance solutions that are efficient, effective, and agile to keep up with a dynamic business environment. This is not a point in time effort and requires ongoing diligence to work towards compliance; particularly as similar laws such as CCPA come into effect. Some questions organizations should consider:
- Are you stuck in the GDPR compliance doldrums?
- Your business has undoubtedly changed since May, have your documentation and controls for GDPR evolved with the business?
- What are you doing to get out of the doldrums and move forward with complete and ongoing GDPR compliance and prepare for others like CCPA?
One way or the other there will be wind put back into your sales to get you out of the doldrums. Better on the organization’s own proactive initiative, otherwise, it will be an incident with regulatory action driving the organization forward.