For several years, companies and regulators have been planning for the beginning of enforcement around the GDPR. Now, after much anticipation, May 25 has arrived – already challenging its first two organizations – and we are all wondering what will happen next. Unlike the build up to Y2K, the GDPR is not an event – it’s more like having children, as it is a commitment and responsibility for the foreseeable future. And, this child is likely to stay under your roof for a long time!
ASG will be hosting the webinar GDPR: Beyond Compliance, 6 June 2018 at 1pm (BST) with KPMG Register here.
This webinar will be hosted by the respected, award-winning journalist Mike Simons and feature Ronald Jonker of KPMG Advisory N.V and Ian Rowlands of ASG Technologies. This article was previously published here.
But what now? When it comes to compliance, which camp are you in? Of the 85 percent of organizations still unprepared for the GDPR, do you belong to the near two-thirds that are still three to nine months away from compliance; the six percent that are twelve to fifteen months away; or the 3 percent with more than fifteen months that have a deer in the headlights look, saying “I was really hoping this didn’t apply to us!”
No matter which group you identify with, there is still work to be done after the beginning of GDPR enforcement. If you’re among those that have worked hard to achieve compliance, you’ll still need to make sure you are ready to perform against these new regulatory standards and demonstrate your compliance. If you belong to the latter groups, you’ll need to identify the gaps in your compliance strategy and put plans in place to close them.
Steps to Complete Compliance
Data discovery is a common gap among the compliance laggards. These companies are still trying to get a handle on what personal data they have in their data estate. Tools like ASG’s Data Intelligence platform can scan the data sources and, by using metadata, lineage and intelligent matching, build an inventory of data that may be protected under the GDPR.
But assuming your organization has moved past this basic step, what is needed to stay in compliance over the long term? How do you demonstrate that you are compliant? There are certainly procedures to follow – like received and recording consent – and actions to take – such as hiring a Data Protection Officer – but you’ll also need to record and report on your activities in order to track your progress and demonstrate to the supervisory authorities that you’re compliant.
For this, you’ll need reports on the personal data – or personally identifiable information – that show you know the data you are responsible for – including recording and classifying protected data in the glossary so that the users know what they can and cannot do with it. You will also need to perform privacy impact assessments (PIA), which are critical to compliance, and record the results. By putting these basic recording and reporting processes in place, your organization will be equipped with an important basis for maintaining compliance over time.
In addition to ensuring you know what data is there and record the results of PIAs, it is important for compliance-centered companies to create process maps to show how protected data moves through the organization. This can show where the data is vulnerable and if and how it moves to outside processors or outside protected areas. Then you’ll need to record that protections are in place through model agreements and binding corporate rules.
Technology is not only helpful in this process – it is essential to achieving and maintaining compliance. Automated discovery and lineage creates and maintains transparency into your processes and the data being managed. Reporting supports an “audit ready” position so that any questions from supervisory authorities can be answered without a fire drill. And data intelligence change detection prevents new problems from sneaking in, as the data catalog spots personal information amongst new data and data lineage version comparison alerts you to changes in how that personal data is handled.
The best news is that complying with the GDPR requires improved data management processes that benefit the entire organization and serve as a foundation for the quest to become information companies. By knowing their data, organizations can know their business — managing it more effectively while converting their data to value by augmenting current products or offering it as new product line, truly becoming information companies.