Deloitte tells us that, “…it is time to move from guessing and assumptions towards action. That time will run out, long before we reach the deadline for compliance in relation to GDPR.”
I am positive that I am not the only one feeling both a little bit stressed and disoriented by the General Data Protection Regulation (GDPR). Tell me again – where exactly is it that I am suppose to go? I’m eager to comply, so let’s dig into this in search for direction.
Ready... Set... GO!
Let’s imagine for a minute that we are all ready to start running towards full GDPR compliance. Shoes tied. Water bottles filled. Starting line in sight. Then a person appears. He hands you a piece of paper and asks you politely to answer a few questions before the race starts:
1. What data does your company hold?
“Ahh, that one is easy,” you think. You list the different systems that come to mind: ERP, CRM, HR. But then you wonder “What is the name of the system we uses for data analytics?” and in that moment, you realise that it is not just the system's name itself that needs to be documented, but the entire data model inside the system!
GDPR - What are the challenges?
2. Where does your company store this data?
Maybe you are lucky enough to be able to write up a complete list of your company’s IT systems. With that list in your hand, you ask your IT department where the systems store their data. They could very well get back to you with the names of various other systems that aren’t even mentioned on your list. Your search would prove one thing at least – that now there are even more systems to document.
3. What is the data used for?
“It’s used for business operations”, your finance department will answer, before also mentioning budgeting, forecasting, BI and analytics. They might even add a few more systems to your list, since they will include the data warehouses and analytical tools they use. If you press them to define what they mean by “business operations,” they’ll say something like, “You know… reporting, analysis. Some self-service BI too.” Then they’ll look at you and ask whether you REALLY need a complete list of where every little piece of data is used?
The more people within your business you ask, the longer the list of systems and different kinds of data usage becomes. Asking “Why?” will turn your list into a novel and may even include some department’s dream of “eventually using this data for a certain purpose. Maybe.”
And that’s before you glance at the next question on the piece of paper:
4. Who has access to the data?
Had this question been the first one, you would have felt so certain that the answer would be an easy one – just ask IT. But as the list of systems and data usage has grown, your certainty has faded.
The answer doesn’t just cover access to the main company systems, but also data that’s being pulled into separate systems for data analysis and visualisations, and even data that’s ‘just’ being fetched into Excel and later emailed ‘to whom it may concern’. Who has access to data? Probably a lot more people than you think.
The race is on to be GDPR compliant and there is lots of ground to cover. Since 25 May 2018 is approaching fast, we all need to pick up speed. Maybe the answer isn’t at all about adding as many resources as possible to cover the most milage. Maybe instead we should all be looking for different approaches that will enable us all to reach GDPR compliance. Smarter ways to work. Services and tools that support the tasks of documentation, security and logging. Whatever other tasks that GDPR compliance requires. Whatever it needs for us all to reach the finish line in time.
At the very least, if you plan on wearing out several pairs of running shoes to race to the finish, make sure that your employer pays for some of them!
Sign up to our free webinars on GDPR & Discovery Hub
Source: Deloitte (in danish)