Over the year, I’ve had dozens of discussions with customers, partners, and thought leaders on the challenges and opportunities they face in achieving GDPR compliance.
Since September, I’ve seen an undeniable uptake on the number of companies focused on the “how” rather than the “why” or the what of GDPR. Interest has spread across countries, from the UK to Germany, Nordics to Spain, Italy to France and BeNeLux. But the most insightful discussions I’ve heard on GDPR so far took place in Stockholm, for the #data2020 event in September.
The good news is that the interactive panel session dedicated to this topic has been recorded and is now publicly available. I had the privilege to participate in this session moderated by Patrick Eckemo, a Swedish IT strategist, together with Johan Wisenborn, who heads Data Privacy Country Operations at Novartis, and Richard Hogg, Global GDPR evangelist at IBM.
You can access this session below. And here are my five takeaways.
GDPR is very broad, but it is just the beginning of bigger focus on data governance
Johan Wisenborn of Novartis highlighted the fact that the number of headcounts dedicated to data privacy in his legal department grew from 3 to 40 people in only two years. He also noted that, although GDPR clearly sets the highest standard in terms of regulations, he was confronted with a growing number of regulations for data privacy and sovereignty around the world, from Japan to Australia, China to Canada, and from India to South Africa.
The panel also made it clear that the stakes go well beyond regulatory compliance. In this data-driven world, trust has become the new currency. Now that insights and innovations depend on big data, there’s no option but to have total control your data, otherwise, your customer won’t buy in. Only organizations that have nurtured a trusted relationship with their employees and customers will be able to reap the benefits of personal data and drive the latest innovations such as precision medicine.
It all starts with accountability
As the panelists noted in the video, most of the privacy rules that come with GDPR were already expressed in former regulations, but the principle of accountability makes it game-changing. GDPR is much more explicit on the requirements for an organization to define internal responsibilities, implement the measures and platforms for enforcing privacy rules and demonstrate compliance with the GDPR principles. As a result, defining responsibilities should be considered as prerequisites to kick off a GDPR project.
Once a Data Protection Officer has been named, then the organization can assess the risks. A recent Data IQ survey on GDPR shows that more than half of the organizations, including those that rate themselves as being at a very early stage of GDPR compliance, have now nominated their Data Protection Officer. Then the focus can shift from the “why” to the “what” and to the “how”, while accountability becomes widespread across the organization by getting C-level attention and educating the workforce to understand GDPR and their needed engagement for compliance.
Start with the foundations
The panelists highlighted Article 30 of GDPR as a top priority. This article states “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility”. Bringing clarity on how to process the Privacy Impact assessments, together with mapping your personal data across your organization, should also be considered at early steps in your project. It won’t make you fully compliant, but it sets the foundations for your GDPR program and drives it onto the right tracks. You might not need tools at first sight to achieve this, but keep in mind that are you are setting the foundations and that your personal data landscape will constantly evolve over time.
Get the resources, make the case, define your priorities
GDPR is regularly compared to Y2K or Euro, as it puts new requirements on legacy systems. But contrary to those one-shot exercises, data privacy is a journey that won’t be over by May, 25th, 2018. It requires a staged approach that starts with a forensic gap analysis and data assessment, followed up by a management plan and roles settings. Then the real project starts, by establishing and operationalizing the needed controls and stewardship activities, measuring results and tracking for gaps and potential improvements. This is much more the one-time tick box exercise that might fade away as time goes by. Privacy is a big thing in the digital era, so be prepared to see the bar getting higher over time as customer expectations increase and regulations related to data sovereignty burgeon across countries.
Invest on content and the rights for the data subject
GDPR is not just another regulation. It is about putting individuals in control of their data, and thereby reinforcing customer trust and engagement, as well as growing a brand reputation. Starting on May 25th, your customers, prospects, visitors and stakeholders will be empowered to challenge your privacy practices through the lens of simple actions, such as giving or withdrawing consent, or requesting for their rights: the right to be informed, to restrict processing or to object; the right of access, to data portability, or rectification; or the right to be forgotten or not to be subject to automated profiling and decision-making.
This part of the regulation constitutes the most visible,customer-facing side of GDPR. The interactive sessions during the Data 2020, showing that very few organizations have yet considered who in will be responsible for that topic and how it would be ultimately delivered to their customers.
So, there you have it. My top takeaways from , what I perceived to be, some of the most insightful conversations on GDPR. What are your thoughts? Leave a comment below or tweet me here. I’d love to hear your take.