The Subtle, Long-Term GDPR Goals—And How To Meet Them

With a little bit of hindsight on GDPR's enforcement date of 25 May 2018, we can now see a real pattern: most organisations developed their compliance programs in two phases, one before and one after the "go-live".

Why is that important? Because the first phase was deadline-oriented and had clearer metrics of success, while the second phase has proven to have subtler aims and to be harder to carry out properly.

BEFORE AND AFTER

Leading up to 25 May, GDPR efforts were mainly tactical, oriented towards meeting a hard deadline rather than on developing a long-term strategy. Most organisations focused on "paper-based" compliance and on establishing privacy foundations, conducting a GDPR gap assessment and then developing a remediation action plan to ensure their readiness (as far as possible) by 25 May. These action plans mainly covered things like new policies and procedures, how to keep records of processing activities (article 30), updates to contracts and information notices, awareness sessions for staff, etc.

After May 25, however, organisations started working towards privacy maturity baselines, with the goal of achieving proper risk-based privacy and technology-enabled privacy processes.

In many ways, this second type of effort has proven more difficult. More than six months later, it is still rare to see privacy compliance programs that consider privacy as a long-term strategy, or that recognise privacy as being far more than a box-ticking exercise.

Here are five areas to consider as you start your long-term privacy journey:

  1. Put customers and employees in the centre

    A privacy strategy is about all of your staff and all of your customers. Don't be motivated by penalties; be motivated by a vision of how to bring the organisation into a new, privacy-centred world. Tomorrow's leading businesses will ultimately wield their privacy capabilities—and more widely they cyber security capabilities—as competitive advantages.

    Along these lines, think about:

    developing a culture where privacy and security become a day-to-day part of employees' efforts; employees will need training to get the right habits and behaviours developing an environment where risks and issues can be discussed openly, and where processes can be challenged where necessary communicating with customers openly, transparently, and consistently about how their data is being used at each touchpoint of their journey; this helps build trust 2. Understand that data is both an asset...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT