GDPR will make its much-anticipated entrance to the international regulatory environment one week from Friday. Companies have had almost two years to prepare for the comprehensive data protection and privacy regulation, though the majority of action has unfolded in the last several months.
For some companies, compliance has come with a multibillion dollar price tag and complete restructuring of data processes. For others, it has been a manageable headache.
GDPR compliance has affected not only data processors and controllers, but also all the vendors who sell to these companies. The regulation only provides the ends, so companies are left to their own devices interpreting ambiguous language to devise the means for compliance.
Through the many paths to compliance, a few clear lessons and trends are emerging: Companies need clear leadership and they need to play the long game.
Strong leadership
Corporate sponsorship will be essential to unite parts of business that didn't work together in order to tackle compliance with comprehensive data culture and process adjustments.
"With GDPR, data protection is no longer the responsibility of the IT department or the CIOs, but rather it will be the whole enterprise's responsibility," said Janet Jaiswal, VP of product marketing at SnapLogic, in a GDPR roundtable. From tech and legal to the C-suite, every part of the business needs to be on board, though making this happen isn't easy.
"I like to joke that legal doesn't speak tech and tech doesn't speak legal," said Chris Babel, CEO of TrustArc, in an interview with CIO Dive. But if all teams aren't there, a company will struggle to reach compliance, and pushing through the difficulties at the beginning of not understanding one another is necessary.
"I like to joke that legal doesn't speak tech and tech doesn't speak legal."
Chris Babel
CEO of TrustArc
The leadership of data protection officers (DPOs), compliance officers required for companies conducting large-scale data processing, is important. DPOs can be whatever an organization needs: for some, a mid-level, check the box kind of job, whereas others leverage the DPO as an upper-level, strategic officer, according to Babel.
But DPOs can't do it all.They aren't the ones handling all a company's data, so delegating data stewardship to individual departments, such as human resources, and making sure they have the tools and processes in place is important, said Jean-Michel Franco, senior director of product marketing at Talend, in an interview with CIO Dive.
A shortage in leadership is looming, however. No matter what happens, the upcoming demand for tens of thousands of DPOs will far outweigh the supply in the next few years, according to Babel. Certified DPOs will be reaping the rewards of a lush hiring environment, but companies that dragged their heels may have trouble finding the talent they need.
It doesn't end on May 25
While large fines have dominated many conversations surrounding the effects of GDPR, in the long-run the EU regulation will have a much bigger impact on data protection and privacy, and discussing the regulation in terms of its positive effects is important.
The regulation opens the opportunity for businesses to harmonize data cultures and policies and is incentivizing business efficiency, according to Ashley Slavik, DPO and lead data counsel for Veeva Systems, in an interview with CIO Dive. And while many lament the ambiguity of the regulation, it creates opportunity for flexibility and autonomy over alignment, she said.
Compliance demands differ greatly across the board. For a software company like Talend that doesn't host a lot of PII and mostly helps customers move data, compliance demands are very different than a company like Facebook or Equifax.
But everyone wants to use data better, and GDPR can be a valuable means to do so by incentivizing the adoption of data management. Businesses need to reconcile governed and shadow IT for consent management to ensure that all PII in a data lake is accounted for, and then they can add layers for user consent, controls, data subject requests and deletion on top, according to Franco.
GDPR opens the opportunity for businesses to harmonize data cultures and policies and is incentivizing business efficiency.
Ashley Slavik
DPO and lead data counsel for Veeva Systems
Many companies will not be fully compliant by the deadline, but that's okay and the regulators recognize that the compliance path is difficult and will require extra time, according to Babel. Demonstrating that one has put thought and time into a compliance solution, having a plan for data processing and protection and understanding what is needed of them will be enough for most companies come May 25.
But taking the first few steps and not finishing won't suffice. Data protection is a lifelong and ongoing process. Regulators might allow for a grace period after the deadline, but Europe won't let the regulation go on without adding teeth to it.
Companies will need to train and "rinse and repeat," because the people in a company are ultimately the biggest asset and the greatest risk, according to Slavik. Pinpointing privacy champions across departments and bringing them into the fold, to make GDPR part of their job instead of someone else's entire job, will integrate data protection into a company's culture.