Decision paralysis – how to get started on the GDPR

The acronym “GDPR” seems innocuous enough, however, what it stands for, i.e. the new General Data Protection Regulation certainly is not. This legal obligation, affecting any organization around the world that does business in Europe (regardless of HQ location), results in stringent demands on the protection and management of personal data.

Unless you’ve been hiding under a rock for the past six months, there are four letters creating a great deal of fear and confusion globally among both legal and IT professionals alike.

The acronym “GDPR” seems innocuous enough, however, what it stands for, i.e. the new General Data Protection Regulation certainly is not. This legal obligation, affecting any organization around the world that does business in Europe (regardless of HQ location), results in stringent demands on the protection and management of personal data.  

After a slow start, organizations are waking up to the financial risks of failure to comply in a race against the clock, as the deadline of May 25, 2018 looms.

Many are yet to really make meaningful progress towards GDPR compliance. A recent Veritas survey found that less than two per cent of organizations currently meet the legal requirements. This isn’t necessarily due to laziness, but is perhaps more a case of decision paralysis.

Knowing where to start with the GDPR can be a real headache, thanks largely to the regulation’s complexity and number of moving parts.   

It’s not much different for the expensive consulting teams being paid millions of dollars to drive GDPR projects for their customers. 

While there are a number of approaches to tackling the GDPR, some may yield results more quickly than others. One approach is to first look at the IT estate and identify the applications that are likely to be used to access personal customer data. Understanding which applications are used by your organization to access such data can help focus teams tasked with driving compliance.

In one manufacturing organization we work with, its 35,000 employees regularly use as many as 11,000 distinct software titles –on-premise and in the cloud. That’s a lot of software, but no more than is typical of an organization of that scale. It doesn’t detract from 11,000 software titles being a very long list to sift through manually – identifying the nature of the application, what data it is likely to be accessed – and from where – who is using it, where they are based, and more. 

By running that software inventory against a database of applications with an identified potential GDPR risk, it could focus its efforts on less than 100 applications, rather than 11,000. Suddenly the impossible became possible.

The GDPR team still needed to identify what data was being accessed by what applications, where that data was being stored, who was using the applications and where they were located. But rather than having to do this for the entire software estate, the team could focus on the less-than-1 per cent of applications that really mattered in GDPR terms.   

Throw yourself a RoPA

For organizations that haven’t already made significant headway towards GDPR compliance, it’s time to face a harsh reality. Your chances of being ready by the May 2018 deadline are, well, practically non-existent. 

It is better to focus on what you need to do between now and then to make yourself less attractive to those regulators charged with rigorously enforcing the GDPR. 

The key to satisfying regulators and building a plan to achieve compliance in a reasonable timeframe can be found in the Record of Processing Activities (RoPA); also recognized as Article 30 of the regulation, comprising five key obligations. 

Talking with GDPR consultants, their key focus when embarking on an ‘emergency’ project for clients is to make it clear that the RoPA is key to short-term focus and success.

This is where the inventory of applications can significantly aid the process of creating the RoPA, to identify and manage risks associated with the data accessed by users and applications, and, more importantly, help instill a plan for internal and external teams to address the perceived major risks. 

Show ‘Best Efforts’ to reduce risks

To interpret the ‘you won’t be ready by May 2018’ statement as a reason to continue ignoring the GDPR is to misread the situation completely. Regulators across Europe are already under a lot of pressure to identify example cases to prosecute immediately upon the regulation’s introduction.

Most already have watch lists of organizations they intend to investigate. However, regulators are themselves under-staffed in most cases and simply don’t have the resources to chase everyone.  

So, even if you can’t complete your GDPR project (and arguably, GDPR compliance is never ‘complete’ as it will be an ongoing requirement) by May 2018, you can take firm steps to show ‘Best Efforts’ and make your organization a far less attractive target than those who continue to bury their heads in the sand. 

The key is to show that you understand the current situation, have identified the key risks, and have an ongoing plan to remediate any perceived risks.