In the heat of preparing your organization towards GDPR compliance, it’s important to remember that assessment is only part of the process towards true compliance. So what about compliance itself?
You’re a responsible DPO. You’ve began planning for GDPR early on and started figuring out how you’ll tackle this overwhelming regulation. You’ve researched every article in depth and investigated how it applies to your organization.
You talked to your board to bring their attention to GDPR, mainly by scaring them with the hefty fines associated with non-compliance. And so you managed to allocate a sufficient GDPR budget. You’re talking to the best GDPR compliance consultants and legal firms to figure out every angle of the regulation and start going through a GDPR Readiness Assessment program. The assessment only makes you aware of how “unready” you are and how much more you have to accomplish.
You understand that you first need to map your sensitive data and so you apply a discovery tool to figure out where your sensitive data is located.
And then it hits you…
You notice that data discovery is not enough. It’s just the tip of the iceberg. How do you actually protect this data. What about actually becoming compliant?
The panic arises together with questions that need concrete answers:
- How do I apply consent processing controls?
- How do i implement the “right to be forgotten” and data cancellation?
- How do I audit user activity to comply with “records of processing controls”?
- What is the technical tool I need for complying with these articles and does it event exist?
Many organizations find themselves in a similar situation. They have assessed and even mapped out their sensitive data, but are still unsure about what tools they’ll use for compliance. Well, the technology do exist and the clock is ticking, so it’s a good idea to start implementing the solution because there is less than a year left.
This is an indication that it might be a good idea to shift your focus towards the most important part of GDPR: compliance itself. Because on May 25, 2018, when a customer will ask to have his data forgotten, and you will easily erase your customer’s data at a click of a button, you would know you that did your job as the DPO. You would know that you have successfully protected your customer’s privacy.