Over the last year, I have had the pleasure of participating in hundreds of conversations on General Data Protection Regulation (GDPR). From these conversations, I’ve gotten an understanding of the struggles organizations are trying to solve when it comes to the 99 new GDPR regulations. The big challenge is that the EU has remained relatively silent on what processes, applications, methodologies and procedures should be applied in order for an auditor to walk away satisfied. As a result, there’s a debate over what organizations need to do in order to be compliant and capable. The EU regulators seem to prefer to see what the market will produce and will go from there. In other words, they do not really know what to expect and they’re leaving it in our hands to cultivate an appropriate solution.
What’s in a Definition?
In the data privacy and protection industry, there are many terms we have to understand to help us on our GDPR journey. We kick around acronyms like Privacy Impact Assessment (PIA), Privacy Information (PI), Data Privacy/Protection (DP), Privacy by Design (PbD), Personally Identifiable Information (PII), Processing of Personal Data (PDD), and Single View of Privacy (SVoP) and so forth. The challenge is that even if we define them, various industries and geographies around the world can interpret these in slightly different contexts. (Queue Web Forum arguments).
GDPR helps a bit by expanding the definition of Personally Identifiable Information (PII):
PII is any information about an individual that can be used directly, or in connection with other data, to identify, contact or locate that person. Such information can include medical, educational, financial, legal and employment records.
Sounds simple, right?
How to Make Sense of the GDPR Challenge
I like to think of the GDPR challenge, as consisting of three distinct building blocks that need to be addressed if you want to be successful. Let’s use the example of opening up a new GDPR-themed Kitchen (sounds awesome, right?).
- Before I even open my doors I have to get my legal house in order. These are the types of things needed to run any business - like getting a liquor license, occupancy and safety registration and insurance.
- Next, I have to build out my menu for my customers. I may have a head chef, but is information around ingredients, recipes, where to buy food, and how to cook it, written down or is it only in his head? As a responsible business owner, the key to my restaurant’s success is consistency and commitment to my customers. So, it’s crucial that their meal is prepared exactly as they want it and without unexpected variations. If my head chef leaves, then what do I do? How will I know what processes to follow to get my ingredients and cook it the same way as always? Now, this is no ordinary kitchen, this is a GDPR kitchen and there are certain rules I have to follow. For instance, I must now provide proof to the food critic that certain foods are organic, Kosher, have no GMO or Gluten. I also have to prove to him that I know where those foods come from and who my suppliers are. I know my chef knows, but do I?
- Finally, I have to make sure that my staff knows how to deal with my customers. My policy is “My customer is always right.” So any additional requests they have for their meal must be promptly addressed. Is their soup too cold? Do they want a large salad instead of the standard one? A well-trained staff with the ability to respond to my customers’ needs is pivotal to the GDPR kitchen success.
Combining all three building blocks together will satisfy compliance in the eyes of the food critic, and, you’ll earn that Michelin star you’ve always wanted because you’ve proved that you are not just compliant but capable - especially over the long term.
The Checklist to Success
The secret sauce of GDPR compliance is not that complicated.
- Find a partner that understands the three building blocks and how to address each.
- Start with your legal department and get your code of conduct and privacy policies lined up. If you have not done a PIA (Privacy Impact Assessment), I highly recommend it.
- Next, find a solution, not just a framework for building your recipe and your menu items. There are several tools out there that will help you build a menu, but not many that have the menu items, most popular foods, and how to prepare them already built and ready for you to adjust as needed.
- Finally, align your menu to your customer. Ask yourself, if you are serving the right food in the right way to the people coming to your GDPR kitchen.
How We Can Help
Our Information Value Management® Platform for GDPR can help you find the data that matters and align that with the GDPR objective. It provides the link between how GDPR compliance is aligned with business processes, and how both are aligned to the underlying data repositories. Our GDPR solution provides a governing framework with Assets and Accelerators specifically designed for GDPR. We identify 11 capability areas for GDPR compliance and incorporate them into 12 correlated areas for data governance, data stewardship, metadata management and data discovery.
Curious to find out more? Let us know and we’ll give you a call!