136 days and counting…..GDPR Compliance
We operate in an increasingly digital world
The way we operate in business is changing and no area more so than the digital environment in which we work. The way we communicate, collaborate and store our sensitive data is, or soon will be, completely digital. Combine this with the advent of cloud platforms dominating our digital horizon and it should come as no surprise that this is quickly followed with a continuous stream of regulatory change, driven by our changing ways or working. As you’re probably aware, in 2018 we are being flooded by acronym based compliance laws and changes with GDPR, MiFID II and PCI to name a few.
Using GDPR (EU General Data Protection Regulation) as an example, we can see a plethora of white papers, free tools, impact assessments and consulting offerings. Yet we are at 136 days and counting on the run-in to go-live. So when is a good time to panic?
Well panic might be a bit dramatic and probably not the best approach, but the reality is that this is the amount of time we have in order to find a path to a practical outcome. How do we get a plan for the “who, what, how, why and when” of business process, data management and systems change that could be required for businesses to manage and demonstrate compliance?
Project Services for Compliant Outcomes
A good starting point is gaining an understanding of your existing compliance within the current Data Protection Act (DPA) and how that positions your business relative to additional requirements coming from GDPR. Getting to a point where the accountabilities for data are understood is critical and how the business is positioned as either or both – Data Controller and Data Processor (and Data Sub-process or where service providers use sub-contract providers).
Understanding the contractual compliance relationship that is required between Controller and Processor, (as well as Processor to Sub-processor) is equally important – flow-downs are applicable when viewing the current environment from the perspective of the data subject – those whose personal data must be protected.
In order to determine what must and can be done in the available timescale, a risk based approach to the management of any related programs or projects will most likely be required. This must be married with an understanding of the implications for both legacy operations, in-flight changes and application developments and future planned business re-alignments, application developments or acquisitions. It’s important to remember that significant cost savings could be derived from ensuring that future plans incorporate compliant solutions from the outset.
This can be set within a 4-D framework approach of Discover, Develop, Decide, Deliver. This enables us to manage the approach and mitigate the risk associated using the 4D Methodology.
- 1D – Discovery
- 2D – Develop
- 3D – Decide
- 4D – Delivery
This can be used to drive a program and project management approach focused on compliant outcomes.
If you want to cut through the noise and have a practical, outcome-orientated conversation, contact Overline for a free health check on the compliance hurdles that relate to your business.