The introduction of the General Data Protection Regulation (GDPR) will improve the privacy rights of EU citizens, giving them greater control over their personal data. Under this new legislation, businesses must grant individuals access to their personal data upon request. Additionally, they must honor requests to delete this information or transfer it to other organizations in a timely fashion. Looking at the requirements and the possible consequences, GDPR is considered the most important change in data privacy regulation in 20 years.
While this is a tremendous step forward for privacy protection and an important contribution to our increasingly digital society, it also raises essential challenges for any organizations who collect, handle and store personal information. In order to comply with requests for access, deletion or transfer, you must first develop the technical and procedural capabilities to do so.
GDPR is considered the most important change in data privacy regulation in 20 years
Lessons Learned from Successful GDPR Transformation Projects
Accenture Security has been involved in GDPR transformation projects since 2012, when the proposal for the law was first submitted. Upon learning that the new legislation was being drafted, one of our clients decided to take a proactive approach and brought us in to assist. Since then, we have been involved in many projects across a wide range of industries, from Financial Services and CMT to Resources and Products. We are now running multiple GDPR transformation projects for multinationals based in the Netherlands.
This experience has given us valuable insights into the most important aspects of both the GDPR itself and the steps organizations can take to prepare for it. We have distilled these insights into eight essential lessons that will help your business make the most of its GDPR transformation and seize the opportunities the process provides.
1. Determine Your GDPR Requirements
Your GDPR requirements will form the foundation on which your transformation project is built. They inform the actions you will need to take to achieve compliance. It is important to determine these requirements beforehand, especially considering the fact that the law applies differently in different contexts.
There is no one-size-fits-all solution here. No standard checklist. Instead, you must carefully consider how the GDPR applies to your organization specifically and work from there to determine the requirements this imposes on you.
If your GDPR requirements change halfway through your project, you may need to rescope and potentially run additional assessments and remediation actions. This, in turn, can cause unacceptable delays. Clarifying these requirements at the outset and making sure your business is in agreement with your internal and external legal advisors will help to eliminate these risks and keep the project moving.
2. Define Project Scope in Advance
To begin your GDPR transformation journey, you will need to assess the overall compliance situation of all personal data within your organization. This assessment is fundamental to the success of your project, but it cannot be carried out completely if you don’t have a clear picture of where this personal data is located. That is why it’s essential to get your scope as close to 100% as possible before you get started on the project itself.
When high-risk applications, processes and archives are discovered during the later stages of the project, you will need to return to the assessment phase to address these new findings. This runs the risks of decreasing your focus and causing considerable delays. While you will never be able to limit this completely, aiming for the fullest scope possible will go a long way toward avoiding these risks.
If you happen to discover applications and processes during your remediation project that fall outside the high-risk category, we advise that you include these in a separate transformation cycle (i.e. assessment and remediation) after the original scope has been concluded.
3. Invest in Change and Awareness
The fruits of the digital revolution are many. Consumers have access to innovative new services and products that are genuinely making their lives better. But the same developments that make this possible are also putting privacy in the spotlight. It will be there to stay – and dealing with that means making privacy part of your organizational thinking and behavior as a whole.
That’s why it’s so important to invest in change and awareness. Creating a sense of urgency requires leadership support, which in turn requires understanding. The same applies for project stakeholders: they are unlikely to participate if they don’t understand why GDPR transformation is necessary, and a lack of support from stakeholders can mire your project in inefficiency.
Still, projects like these cannot be governed by top-down processes alone. Awareness needs to expand through your entire organization. All employees and departments that handle data need to know and understand the new tools, policies and processes, as well as how the changes will impact them. They will be ones to use them, after all, so they will need to be up-to-speed. Otherwise, you run the risk of creating a perfect set of privacy processes that will sit unused on a shelf somewhere.
4. Be Mindful of Unstructured Data
Any information that lives outside your databases, applications and other structured environments can complicate your efforts toward GDPR compliance – especially if that information is personal. This unstructured data comes in many shapes and forms, from Word and Excel documents to paper notebooks to something as simple as a Post-It note. In any case, you won’t be able to track it as easily as the data inside your applications. Establishing rules for sharing and deletion is similarly complicated.
As a result, unstructured data may pose compliance risks. At the same time, it can obscure opportunities: acting on valuable information is difficult when you cannot track it properly. That said, trying to control this phenomenon top-down will often prove impossible. Your communications department may produce large amounts of Photoshop files and Office documents, but simply telling them to stop is obviously not a viable solution.
Instead, focus on education. Helping your teams understand their responsibilities in regard to unstructured data is the first step in finding a solution. Acknowledge its chaotic nature and teach them how to handle it properly. Once you have built that understanding, you can then take steps to identify existing unstructured data and make it trackable, either by crawling your network for files that contain personal information or by introducing tools that will support and stimulate your employees in classifying personal data files manually.
5. Establish Strong Governance Structures
Setting up proper governance is essential to the success of your GDPR transformation, both during the project and after its completion. A formalized governance model will help clarify the responsibilities of those involved, painting a clear picture of what each project member must do to move the project forward. Similarly, achieving long-term GDPR compliance means making sure that everybody knows what is expected of them in the long run. Once the dedicated project ends, you will need to establish some form of governance that allows you to maintain compliance indefinitely.
Appointing a Data Protection Officer (DPO) is the first step in achieving proper governance, but they will need support from the rest of your organization to carry out their responsibilities. Ideally, each department or business unit should contribute its own representative to handle local issues, thereby assisting the DPO. How you handle this is up to you: appointing local privacy champions or single-points-of-contact or convening councils for privacy-related issues are all valid strategies.
How you balance these roles is likewise dependent on the needs and scale of your organization. In smaller businesses, it makes sense to create dual roles, establishing your governance structure by combining new roles with existing ones. For larger organizations, full-time roles are a more appropriate choice. You can also leverage existing structures by adding privacy governance to the responsibilities of your security, legal or compliance teams. However, when combining roles in this way, you must always be careful to avoid conflicts of interest.
6. Embrace Privacy by Design
Under the GDPR, privacy needs to become part of your organization’s DNA. To achieve long-term compliance, you will need to embed privacy controls into all privacy-related processes and applications within your organization. This is not limited to existing activities – new processes and products must be designed with privacy in mind to avoid compliance issues further down the line.
Training and education play a vital role in this. At the moment, the deadline for GDPR compliance is getting closer. Enforcement is looming on the horizon and all eyes are focused on the new legislation. Once the cutoff date passes, however, things will slowly return to normal – and compliance may slip if it is not embedded within the mindset of your organization.
In addition to training your talent to embrace the privacy-by-design mindset, you would do well to include privacy controls in your project initiation documentation. This will ensure that new projects can only be initiated if proper privacy controls are in place, providing additional assurances for compliance in the future.
7. Consider Your Organizational Structure
The way your organization is structured can have a significant impact on your GDPR transformation project. To successfully navigate the path to remediation, you must address any complexities that arise from your specific situation beforehand. We have included a few examples to help you identify areas of particular interest.
Centralized vs. Decentralized Organizations
Generally speaking, decentralized organizations will encounter a less uniform landscape during their drive toward GDPR compliance. More stakeholders mean more input, which makes it more difficult to determine project requirements. Likewise, it will be more difficult to take stock of all applications, processes and data within your organization, which will complicate the process of scoping your project.
Outsourced vs. In-house IT
If your organization handles all of its IT processes in-house, the responsibility for achieving GDPR compliance will be yours and yours alone. However, if you’ve outsourced some or all of your IT processes, you will need to ensure that your suppliers understand your GDPR requirements and comply with them. This means your focus will shift to contract management. You must carry out due diligence to select suppliers that meet your standards and make sure they sign your data processing agreement. This will be relatively easy if you have strong supplier management in place, but without it you may encounter additional difficulties.
Multinationals vs. Single-Country Businesses
The GDPR was designed to provide a uniform set of data privacy laws across the entire European Union. It applies at the EU level and offers the same protections to citizens in every member state. However, certain aspects of how the law is implemented are still set on a national level. Timelines for data retention and deletion may vary between countries, for instance. If your organization is active in multiple EU member states, this will make your GDPR transformation project more complex.
8. Build a Pragmatic Processing Registry
The GDPR explicitly instructs organizations to establish and maintain a processing registry. This is, in essence, an overview of all activities within your organization to process personal data. Creating this overview is mandatory but there are two ways to achieve this, each with its own advantages and drawbacks.
An application-based registry is easier to establish because you won’t need to perform a full inventory of your business processes beforehand. Instead, you can identify personal data at the level of individual applications and use this overview as a reference point for GDPR-related requests. This will take less time to create, but handling requests for access, transferal or deletion will be more time-consuming.
On the other hand, basing your registry on your business processes will allow you handle GDPR-related requests more quickly. Instead of tracking personal information as multiple data points across multiple separate applications, you will be able to follow the data holistically throughout each of your business processes. When you receive a request for access, deletion or transferal, you will quickly be able to assess which business process contain that data and easily take appropriate action. A process-based registry therefore makes it easier to automate GDPR requests, but it will take more time to set up – especially if your organization has not yet fully documented its business processes.
A Valuable Stepping Stone toward Lasting Digital Trust
Digital technology has been weaving itself into every aspect of our world for decades. It has become an essential part of global business and society, building the foundations for a dazzling array of new products and services. We are now in the midst of a new technological revolution which will create even more opportunities for innovative value propositions in the digital landscape. But we must seize these opportunities responsibly. Data privacy will remain a fundamental issue, and the privacy regulations designed to protect us are here to stay.
We are approaching the end of the grace period for the GDPR legislation. May 25 marks the cut-off date for enforcement, raising concerns for organizations that have not yet achieved full compliance. Many businesses view the new law and its consequences with grudging acceptance or outright worry. While understandable, this point of view will prevent you from seeing the GDPR for what it truly is: a unique opportunity to gain digital trust and build better relationships with your customers.
GDPR is a unique opportunity to gain digital trust and build better relationships with your customers
In the future, your commitment to privacy will be a deciding competitive advantage. Proving that your customers can trust you with their data will boost your reputation and your profile, opening up new avenues for growth. Digital trust is the new currency and the GDPR is a clear incentive to embrace it. It will not only bring the value of personal data into focus, but also add new weight to existing business cases that might previously have been too weak to pursue.
But perhaps most importantly, the GDPR provides excellent incentives to learn and collaborate with others in your industry or ecosystem. The insights we’ve discovered will help get you started on the path to compliance, but you are bound to make new discoveries along the way. Building a community and sharing those insights will give you access to deeper knowledge and better strategies, putting your company in the best possible position to formulate a realistic approach for a privacy-centric future.
Keep track of your GDPR compliance steps. Download the infographic now.