The race for GDPR compliance
The European Union (EU) is getting serious about data privacy. With a new regulatory regime set to go into effect in late May, organizations are scrambling to complete compliance projects. Failure has a punishing price tag: The new General Data Protection Regulation (GDPR) mandates initial fines as high as €10 million or 2 percent of annual revenue (whichever is greater); second offenses are doubled.
The new law is intended to protect the privacy of EU citizens while harmonizing laws across Europe by creating a single standard for how companies handle data. It applies to all organizations doing business in the EU—not just those based there.
In theory the GDPR should simplify the way data is captured, managed and stored. But in reality, it is creating challenges for project teams around the globe as they race to accommodate the new law’s requirements before they are officially implemented on 25 May 2018, says Nick Rafferty, COO of Sure-Cloud, London, England. His organization provides governance, risk and compliance applications, and cybersecurity services.
For instance, because data is captured and sent via so many different channels and people, many of which are informal communications, it can be overwhelming to track down every potential risk. And even if an organization identifies every way it might be violating the GDPR, implementing processes and solutions that comply with the law without encumbering easy communication can be challenging, says Mr. Rafferty.
“From a project management standpoint, these projects are very complex, with many workstreams and stakeholders.”
GDPR applies to the personal and professional data of all EU residents. That can encompass the names and addresses of customers, bank account details, medical information, social media posts and even images. To be compliant, companies have to address how data is captured, managed and stored across the organization, updating privacy notices, consent requirements and service agreements. And they must document every data-handling process to demonstrate compliance.
Meeting all GDPR requirements is a complicated process—and “the penalties aren’t intended to be a slap on the wrist,” says Christine Lyon, a partner at the law firm Morrison & Foerster LLP, Palo Alto, California, USA. “They are intended to drive compliance.”
Yet most organizations are nowhere near ready. Forrester predicts 80 percent of companies will fail to comply with GDPR this year. And just 10 percent of respondents in a September 2017 survey by WatchGuard Technologies said their organization was 100 percent ready for the new GDPR. Some organizations simply don’t have the time or resources to comply on time. “Even companies that began working on these projects two years ago are under a crunch,” Ms. Lyon says.
With the deadline looming, many organizations are taking a risk-based approach to compliance. Teams are focusing on areas of the business most vulnerable to data breaches and working out from there, Mr. Rafferty says. Once a company determines that it is subject to GDPR, it should begin with a data-mapping project to track every piece of affected data that the company owns, uses or stores, he says. “You have to understand where the data is before you can attempt to comply.”
Understanding the data landscape requires project teams to engage with multiple stakeholders across the company, such as representatives from each business unit, to gather details about the data their teams capture and use. Mr. Rafferty suggests companies find a champion in each department to liaise with IT teams. In-house data stored in systems will be fairly easy to track. But the unstructured informal data that gets transferred in and out of the company—think client emails with attachments—can be tricky.
“A lot of this unstructured data isn’t captured in any formal database,” Mr. Rafferty says. “It’s exchanged in emails and stored in spreadsheets on someone’s laptop. But it still has implications for the GDPR.”
The data map combined with a gap analysis can be used to justify investment in GDPR-compliance projects. Once companies know what needs to be done, teams can start by removing any personal data they no longer need, a step that minimizes risk and optimizes their data storage, Mr. Rafferty says. Then they can focus on areas of the business that collect the most personal data, including marketing, sales and procurement.
While it’s unclear how aggressively the EU government will crack down on noncompliant organizations this year, Ms. Lyon believes that if companies can prove they are making good-faith efforts to achieve compliance, regulators may be appeased, at least in the near term.
The main thing is to be able to show good-faith efforts in the way of compliance. “There is a tendency to get overwhelmed and put these projects off, but you can’t let perfect be the enemy of good,” she says.
Mr. Rafferty agrees. “Focus on where you have the most volume of personal data and break projects into stages,” he says. The more organizations can reduce risks, they better off they will be.
Written by Sarah Fister Gale at Project Management Institute
Read the published article here.
Learn more about SureCloud’s GDPR Suite here.