Upon reaching a major milestone in our Intelligent GDPR Product (contact me to find out more), I thought it worth sharing some interesting musings I’ve had along the way – all of which originated from a very simple question:
Can automation enable companies to manage continual GDPR compliance?
This simple question opened up several thought processes:
- Do we understand the regulation?
- Where are the areas that will, potentially, require significant investment – both in leading up to Day 1 and then from Day 2 onward?
- What could / should the technology mix be to enable continual compliance?
- What is the scope for automation?
Armed with these questions, I began engaging with some of the biggest firms in the UK around their thinking. That is when things really got interesting….
Clear as Mud
Throughout the current GDPR guidance, there are loads of grey areas - things like how deep do we have to scan all our data lakes to find relevant data (e.g. file name vs file contents)? And then, once we have identified data, how should we format it to ensure it is useful / readable and that non-related, sensitive information (in the case of two people’s personally Identifiable Information [PID] appears on an email thread) is redacted - Is it ok to give someone a screen grab of their personal info, or does it need to be organised in a structured format)?
It is this vagueness that has created some very polarised thinking, and more worrying delayed action planning, amongst many business leaders I am speaking with about their approach to GDPR.
Here are some highlight from my initial conversations:
- The GDPR Trojan Horse – many consultants and industry commentators are spending a lot of energy fear mongering the market around the impact of non-compliance rather than trying to help organisations understand the true nature of the regulation - data management. In contrast to the groundswell around Y2K, GDPR is significantly more complex than Y2K as data is not singularly a technology / people / system problem. It is all three, simultaneously. Seeking to understand the nature of data (how it is accessed, stored, manipulated and its overall purpose) should be the critical starting point for all business leaders. The GDPR is a major overhaul to the old Data Protection act, aiming to give more power back to data owners (customers, employees) and forcing businesses to take more responsibility for the implications of data ownership. The GDPR Trojan Horse is such as once the regulation is in place, a series of additional, more stringent regulations around data management, security and ownership (such as the Cyber Security Directive – coming out this year) will begin to roll-out. Like Disney’s vision for Star Wars, we should expect and prepare for a thrilling addition to the data franchise every year.
- Extreme thinking – The GDPR places additional pressure on businesses, beyond the scope of the current Data Protection Act, to ensure that data is understood (requiring systems and data processing activities to be mapped at a granular level), data is managed (requiring a combination of people and technology to access, retrieve, manipulate data) and that data is secure (requiring more transparency around data breaches and better data encryption). Not only do businesses need to understand these three elements, they need to ensure that their customers and employees also understand how their data is being processed. It is this additional pressure that has split (almost polarised) many businesses I am speaking with into two camps:
- Some organisations have spent the last 12 months actively understanding the GDPR, agreeing a plan of action (around the very specific, clear aspects of the regulation) and begun to implement some of the changes – specifically in places like front-end customer interfaces, such as websites (asking for customers to opt-in to communications, anonymise certain online / offline activities).
- On the other end of the spectrum, are those organisations which see the regulation as a burden and hindrance in a very turbulent economic and political environment. A common piece of feedback I received (on more than one occasion) was “we will wait until we are audited before investing into the regulation”. In about 90% of my conversations with business leaders, they are aware of the regulation and its requirements, however, beyond meeting the Day 1 requirements, many simply do not have an action plan for continual compliance, from Day 2 and beyond.
- Applying old thinking to a new problem – Following closely on from my previous point, the action plan many business leaders have agreed on - for managing continual compliance from Day 2 and beyond - typically involves the recruitment of an ‘army of administrators’. Acting as human APIs, these additional low-value adding skills administer the record keeping, management of requests and compilation of data – and are generally there ‘just in case’. Not only does this create the need for an additional layer of management, it fundamentally doesn’t solve the underlying problem of effective data management and, worse, creates new risks around data quality / breaches (i.e. sending the wrong information to the wrong person can be seen as non-compliance). Of course, on the other side of this coin are the over-zealous, slightly sensationalist technology vendors touting their software as a silver bullet solution – whether it is Security, Verification, Data Management, Policy Management, Workflow etc etc – which again, has created complexity around the right mix of people and technology to meet Day 1 and Day 2 requirements. This complexity is causing disbelief amongst senior execs who are very reluctant to initiate any kind of large scale technology project before the May 25 deadline. Forward thinking business leaders are taking a step back from these old solutions, and are asking:
- What should the target operating model for managing continual compliance look like in our organisation?
- How do we ensure we have a robust roadmap for data we own, control and process vs data owned, controlled and processed by third parties?
- What are the skills, tools and techniques required to build a robust, sustainable approach to meeting and managing this regulation – and, can scale into upcoming regulations?
Coming back to our initial question:
Can automation enable companies to manage continual GDPR compliance?
Answer: Absolutely – particularly around managing the execution of Day 2 and beyond continual compliance activities such as Data Subject Requests and breach notifications. BUT, I would challenge you to take a step back and think more broadly about data and its purpose in your business, the target operating model for technology / people / systems and what data ownership means to you as a business.
Ready to learn more?
Click here to access our on-demand webinar discussing GDPR - specifically:
The Challenge with Continual Compliance webinar.
Over the coming weeks I will be diving deeper into each of the questions I posed at the start of this article. If you cannot wait that long and would like to talk though some of our findings and identified solutions to continual compliance, please reach out to me at firstname.lastname@example.org
About Symphony Labs
Symphony Labs aims to be the watchtower for our business and our clients, enabling both entities to identify interesting new solutions, ways of thinking and capabilities that will improve operations, enhance customer experience and drive real bottom-line impact.