Time to review your Data Privacy/GDPR program budget for 2018 and beyond?

John M WalshData Privacy

By now, most companies and organisations are in full swing with their version of GDPR compliance. After a slow start, we notice that those involved with the implementation are getting to grips with the details of GDPR and what it means for their organisation.

Once companies get beyond the assessment phase and start really to understand what is involved, there appears to be varied reactions which can be roughly classified into three types of responses:

  • ‘get us across the line with minimal effort’
  • ‘take risk based approach and do what we need to do”
  • ‘take both a value and risk based approach with long term vision, how can we use GDPR as a catalyst to get our information landscape in order and meet our GDPR compliance obligations’

All of these reactions are understandable. And it is very reassuring to notice that there is a common acceptance of the importance of this regulation. OK, there may be grey areas in the interpretation and implementation but the focus is more on how rather than intent.

So, as many companies will now be busy preparing budgets for 2018, perhaps it’s worth keeping a few things in mind for our ongoing approach and planning for Data Privacy and Data Protection initiatives for 2018 and beyond:

  • Defining the company vision and strategy towards Data Privacy and how it relates to your company values is key to getting and keeping senior management on board this initiative.
  • I guess the term GDPR will lose its meaning in 2019 and beyond and be replaced by Data Privacy & Protection Program. Perhaps it’s a good time to start introducing these terms for Governance and Sponsorship. Maybe now is a good time also to reiterate that GDPR compliance is an ongoing DP Program rather than a Project.
  • The GDPR assessment will have raised several surprises. We notice that they span the organisation, process and technology layers and that it is difficult to assign the ownership of many of these transversal initiatives. Maybe it’s a good time to reflect on how to capture the “value” of these findings and give them ownership and life.
  • Like many others, we believe that ongoing 100% compliance is impossible. And, due to the dynamic nature of data, your organisation may be compliant on paper yesterday but this does not guarantee that it is compliant today. Perhaps it a good idea to consider how ongoing compliance can be semi-automated and take this into account in your compliance program.
  • The GDPR programme will have identified many risks. How are you linking these risks with  your overall Risk management or GRC (Governance, Risk and Compliance) processes?
  • Last but not least, the GDPR presents a great opportunity to clean up ALL our Information and not just for Personal Data only. So why not take the road less travelled and go for the longer term value proposition. Perhaps, we could use the opportunity to show that the budget can be used for initiatives beyond “the GDPR Project”. Emphasising the Business Value and the bigger picture will help your organisation address the key issues that you face today. Using GDPR as a catalyst, we are sure that you will have the attention of senior management now to go beyond the fear elements of fines, reputational risks etc. towards business value creation. Why not go for Information Governance as the key solution for addressing many of the information challenges you are facing today and look to hook in many of the project initiatives identified in the GDPR assessment as part of data management maturity improvement program of 2018 and beyond.

Hope these points help your organisation today.