GDPR is a vital Change Management discipline
If lawyers and consultants implemented GDPR as a project, while the rest of the company carried on as business as usual, there would not be a need for a change process to implement GDPR. Use the fines and share price impact if management commitment is an issue. However the right change processes can help clean up IT and data, develop business growth and streamline processes.
GDPR as an opportunity to do information governance by identifying the IT and data needs and the threat to business models, growth and innovation. Therefore change management is critical because there are policies, processes, technologies and cultures at stake, many of which you need to adapt to change. Alter the amount of change will vary between organisations due to significance and impact on the personal data processes and handling requirements that are introduced by the GDPR.
Alice in Wonderland and the Cheshire Cat
If you are going down the wrong path and you are not reviewing and adjusting GDPR will get anywhere. Like Alice in Wonderland if the Cheshire Cat is asking her where she is going? If you don't know where you are going, then it doesn't matter where you go. A gap analysis will most probably address the need to streamline the complexities of IT and data operations, find the right path and in most cases, result in cost savings in the long run.
A real change management ‘department’ can take a holistic view on IT, data and information governance that involves information security, marketing, HR and product development departments to ensure that the organisation is improving its governance and risk management across these departments, rather than implementing a check-the-box compliance exercise that the lawyers, consultants or DPOs are doing I a corner office of the organisation.
The Scope, Data Consent and Portability are the biggest GDPR worries.
One of the most significant concerns for any team is the GDPR’s requirement for explicit consent, not only of the primary reason but getting consent from data subjects to secondary processing as well.
The concern for consent frequently kindles from the often misplaced idea that consent is required to provide the lawful basis for the treatment of personal data. However, the key is the realisation whether the data should be used at all;
- 'explicit consents' for sensitive data and international transfers
- Link the consents to the personal data inventory
- Confirm that the consents are clear and transparent
- Update the data subject rights
- Audit how the consents are documented and retained
Another big issue for concern is the right to data portability as only tele, energy and financial sectors have some experience of data portability. Organisations are struggling to come to grips with how data portability will work and what technological and process changes are needed to implement or to make data portability possible.
Lessons from the SOX implementation, interpretation and enforcement
GDPR regulation defines the scope in one way, the current guidance from most regulators widens the scope and the European Commission has recently said that regulators have gone too far . Management and the DPO are the confronted with the problem of deciding who to follow and which GDPR components are in scope. The decision is important due to the enormous and different cost implications. The same was the case in SOX implementation, interpretation and enforcement action in the good old days.
When mapping the data, you find where your data and data bases are stored, understand the contents and may sometimes give an opportunity for new services or products. Therefore it is critical for GDPR staff to go to GDPR workshops, seminars and boot camps to see the pitfalls of this so called harmonised regulation, get precise definitions and sort out the risks. Because of the multi jurisdictional reach of the GDPR, it is both a threat and a challenge for global or pan European companies operating across Europe to know exactly how the regulation will play out in different countries.
But the above GDPR issues are no excuse, not to streamline the GDPR technicality, address the IT security risks and challenges and nail the information governance, risk management and compliance once and for all.
Events:
Copenhagen 17th August 2017: http://copenhagencompliance.com/gdpr/
London 5th September 2017: http://copenhagencompliance.com/2017/gdpr-uk/
European Boot Camp 23rd November 2017: http://www.grcassembly.com/mailer/GDPR-Bootcamp.html