Touted as the US’s GDPR event of the year, it seems fair to say the IAPP Global Privacy Summit provides the best reflection of the market these past few months. Since 2017, GDPR compliance has certainly grown in importance. Too many organizations, however, are stopping at data mapping and policy debates because they consider it ‘too early to consider technology.’
With GDPR going live in less than 2 months, that hardly seems likely. The stamina and persistence with which organizations still believe technology solutions are not worth the time nor investment is frankly terrifying. Here’s why.
The Regulators Perspective
One of the best attended sessions at the Summit was a one-on-one conversation with Helen Dixon, the Irish Data Protection Commissioner. (A member of the ICO was also meant to be on the panel, but they had the small matter of Facebook to deal with.) Whilst the moderator did her best to ask Helen to “sympathize with the fact that GDPR asks a lot of organizations,” Helen was rather direct in her response: companies have had almost two years to prepare and, when it comes to enforcement, governing bodies are revving up. Ireland’s data protection office, for instance, has more than quadrupled its staff in preparation. They also recently received millions in additional budget.
While Ireland is only one governing force and the ICO themselves have said they view fines as a last resort, GDPR enforcement may come sooner than many expect… and too many are still woefully unprepared.
The Business Perspective
It’s almost natural to split GDPR compliance into subsects when looking at your own organization: structured and unstructured legacy data (pre-May 25) and new data (post-May 25). While I understand this two-pronged approach, I struggle to understand how organizations feel this moment—April 11, 2018—is far too early to consider a GDPR technology solution. Structured data, maybe you can get a handle on using existing solutions.
But unstructured data? The very nature of unstructured data makes attaining granular understanding of your data next to impossible if all you have is a data mapping tool. The vast majority of legacy tools do not provide enough insight into what data—and vulnerabilities—reside where. And they certainly don’t prepare you to respond to a subject access request.
At the Summit, it became clear that many organizations are happy to play the waiting game to see which of the ‘big name social media outlets’ get hit first. But maybe the very narrative of how we approach GDPR needs to change. Rather than seeing the regulation as one that places handcuffs on an organization’s ability to prosper and grow, we should start viewing the regulation as one that, after certain cultural changes and policy updates, could actually enable prosperity.
GDPR asks organizations to act fairly without exception—to only process necessary information, to protect it, and to ensure internal policies reflect business needs and personal privacy. Data minimization is a perfect example of how organizations can best conduct business under GDPR while protecting the fidelity of their greatest asset: data. And imagine how much easier a consistently culled set of data would make litigation or SAR response.
The Technology Perspective
Purchasing a technology will always be a scary decision. But reacting to a problem after the fact and investing in a short-term point solution is exactly how we got into the mess we are in today. With GDPR as the spark, it’s time to have a serious conversation about privacy and how it can help—not hinder—our business going forward. Let’s not lose sight that, while GDPR is the hot-button issue of the day, the governance solutions we chose to help today will interact with solutions for future problems.
It’s time we take GDPR seriously and handle it in a way that allows our organizations to prosper and grow whilst also providing transparency and trust to the everyday consumer.