Some Tips on Organizational GDPR Compliance and Evaluating Privacy Management Tools


The GDPR, the European Union’s General Data Protection Regulation, goes into effect May 25, 2018 and will have a worldwide impact. The GDPR applies to organizations that have personal data relating to citizens of the EU, including many companies in the US.

GDPR

The GDPR, the European Union’s General Data Protection Regulation, goes into effect May 25, 2018 and will have a worldwide impact. The GDPR applies to organizations that have personal data relating to citizens of the EU, including many companies in the US. There have been valid concerns in the industry about the burden GDPR puts on companies, e.g. increases in IT spending and difficult-to-meet standards around obtaining and managing consumer consent to use their information. But, as a privacy professional, I admit that, overall, I am excited! Some of the best ideas the privacy community has developed over the years have finally made it into law. And this, in combination with GDPR’s stiff fines for violations, will drive their widespread adoption.

How do companies go about complying with GDPR? Many organizations have formed a GDPR Transformation Taskforce. Such taskforces can have three primary goals (i) ensuring the organization itself complies with the GDPR (ii) ensuring that all its products and services that touch personal data comply with the GDPR, and (iii) for security vendors, ensure that their security and privacy products can effectively support their enterprise customers in their GDPR compliance journeys.

In many cases, it makes sense to apply GDPR principles to other personal data holdings as well. One example is the accountability principle. This requires not only implementing a comprehensive privacy management program, but also to collect ongoing evidence that proves your program is effective. That is an excellent idea for all treatment of personal data. So it makes sense to implement it across the organization. This is one simple example that illustrates that the GDPR increases the level of privacy protections not just for European Union (EU) people, but far beyond. That is excellent news for all of us on this year’s Data Privacy Day!

Tips on Evaluating Privacy Management Tools

One enabler for implementing an organization’s accountable privacy management program are software tools that manage personal data inventory and allow the privacy team to design and provide questionnaires and assessments to business and engineering teams. Simple workflow, reporting and alerting capabilities can help the privacy team collect and manage the results in an effective manner. These privacy management tools have become bestsellers of the GDPR technology landscape.

For me, seeing these tools appear in the market brings about a feeling of déjà vu. About 10 years ago, I co-created a similar assessment tool. So, as readers may be evaluating them for adoption in your own organizations, I have some opinions I’d like to share with you on what makes them useful.

  1. Content matters: The quality and specificity of the questionnaire templates typically included in the tools will greatly improve effectiveness. For example, evaluating an email marketing campaign will require different questions than evaluating cross-border data flows or checking whether a software development project is in line with GDPR’s Privacy by Design requirement. Generic, high level questionnaires won’t produce reliable results and might even confuse users.
  2. Flexible questionnaire design: The privacy staff should be able to develop its own content (questionnaires, assessments etc.) since almost all organizations have their own specific privacy issues and policies. Look for tools that give you the freedom to develop your own content beyond the out-of-the-box templates. These questionnaires should be designed to be dynamic and adaptive to previous answers. In this way, you can reduce the need for people filling out the questionnaires to answer irrelevant questions.
  3. Usability is key. Using a free trial version, test the software carefully to ensure your privacy staff (not the IT staff) are able to design and deploy the questionnaires, workflow and reporting. More importantly, make sure that the intended end users in your organization can fill out the questionnaires effectively and without confusion. Appropriate help functions are one key point.

As an early creator of this type of technologies it is gratifying to see how far they’ve come. In my view, they’re a worthwhile addition to most organizations’ privacy program.