The GDPR, the European Union’s General Data Protection Regulation, goes into effect May 25, 2018 and will have a worldwide impact. The GDPR applies to organizations that have personal data relating to citizens of the EU, including many companies in the US.
The GDPR, the European Union’s General Data Protection Regulation, goes into effect May 25, 2018 and will have a worldwide impact. The GDPR applies to organizations that have personal data relating to citizens of the EU, including many companies in the US. There have been valid concerns in the industry about the burden GDPR puts on companies, e.g. increases in IT spending and difficult-to-meet standards around obtaining and managing consumer consent to use their information. But, as a privacy professional, I admit that, overall, I am excited! Some of the best ideas the privacy community has developed over the years have finally made it into law. And this, in combination with GDPR’s stiff fines for violations, will drive their widespread adoption.
How do companies go about complying with GDPR? Many organizations have formed a GDPR Transformation Taskforce. Such taskforces can have three primary goals (i) ensuring the organization itself complies with the GDPR (ii) ensuring that all its products and services that touch personal data comply with the GDPR, and (iii) for security vendors, ensure that their security and privacy products can effectively support their enterprise customers in their GDPR compliance journeys.
In many cases, it makes sense to apply GDPR principles to other personal data holdings as well. One example is the accountability principle. This requires not only implementing a comprehensive privacy management program, but also to collect ongoing evidence that proves your program is effective. That is an excellent idea for all treatment of personal data. So it makes sense to implement it across the organization. This is one simple example that illustrates that the GDPR increases the level of privacy protections not just for European Union (EU) people, but far beyond. That is excellent news for all of us on this year’s Data Privacy Day!
One enabler for implementing an organization’s accountable privacy management program are software tools that manage personal data inventory and allow the privacy team to design and provide questionnaires and assessments to business and engineering teams. Simple workflow, reporting and alerting capabilities can help the privacy team collect and manage the results in an effective manner. These privacy management tools have become bestsellers of the GDPR technology landscape.
For me, seeing these tools appear in the market brings about a feeling of déjà vu. About 10 years ago, I co-created a similar assessment tool. So, as readers may be evaluating them for adoption in your own organizations, I have some opinions I’d like to share with you on what makes them useful.
As an early creator of this type of technologies it is gratifying to see how far they’ve come. In my view, they’re a worthwhile addition to most organizations’ privacy program.