GDPR compliance: six steps to make it happen

The deadline for GDPR compliance is now less than a year away. The regulation has become a major business concern for many companies, with good reason – one of the most publicised parts of the legislation is the threat of non-compliance fines up to 4 per cent of global revenues. That’s without mentioning the inestimable reputational damage that comes with it. Consumers are now more sensitive than ever to how their personal data is processed and protected.
Technology leaders like chief data officers (CDOs) and chief information officers (CIOs) must see this as an opportunity to take the lead in building compliance into company processes. They can help their companies achieve multiple benefits at the same time as appeasing the regulators.
The advantages are many and varied. From removing operational silos and creating more efficient internal processes to improving customer personalisation programmes, good data makes for a successful business. But you have to invest to make the most out of your information assets, and you have to develop a roadmap that will deliver value over time.
As a result, for the past decade many companies have seen the technological and financial barriers as too much. As one example of this specious thinking, why dedicate capex to a data management project if the business is already running smoothly? There is also a cultural barrier to overcome in many cases – getting control of your data often means changing the way a company works, which brings with it difficulties of its own.
Now the GDPR deadline may force the issue. With the C-suite more focused than ever on the importance of good data management, the CDO should take responsibility for making the company data-centric – and then help it reap the rewards.With that in mind, here are six points we consider could be important to help the business on its GDPR initiative journey.
 

1. Don’t see GDPR as an enemy. Financial services companies are used to building many of their processes around regulation, but many other industries are not. Don’t be afraid of making the necessary changes – instead, treat them as a chance for competitive differentiation. Preparing for the GDPR can help businesses to get a good, in-depth understanding of the personal data they process. In that sense, compliance can be a benefit as well as a challenge: it might cut those who aren’t prepared for it, but it can give others plenty of valuable insights to drive growth and customer engagement.

2. Plan your compliance programme carefully… The journey towards GDPR compliance is often a long one. Even if your company won’t have all the loose ends tied up by May 2018, it’s still important to be able to show regulators and stakeholders that you are intentional and serious about reaching compliance, and that you have control over your data.

3. …and map out your data. For many, a good way to start on GDPR compliance is identifying how your organization processes personal information across its ecosystem, so you can appropriately process and effectively secure it if required. To do that, we think you’d want a clear view of your entire data landscape. Imagine it like a macro version of Where’s Wally – if you can only search part of the picture, you might find Oswald or Wenda, but you’re probably not going to find Wally. As a result, organisations may wish to consider automating the data discovery process. Manually sorting through the huge amounts of data involved often takes a lot longer than predicted, and as your data is evolving all the time, your insights will be stale almost as soon as you produce them. Automated data discovery and management can speed up the process and help you keep pace with shifting data inputs. And by generating a risk score for relevant data, organisations can understand how to start prioritising remedial activities.

4. Involve the whole company. This isn’t just a problem for application developers: the whole company from the top down needs to be on board with making GDPR compliance and data-centricity a success. That means the CDO needs to ensure that senior stakeholders such as the CEO are involved and committed from the start, as they can help to unify the company around the single goal of achieving compliance. Also, don’t forget the legal aspects too – they’re a key part of protecting the company and can help you understand the scope of what’s required.

5. Bring in the right external expertise. Technology alone is not enough for this task. It’s an accelerator for a GDPR initiative, but it’s only one part of the story. You also may need switched-on business consultancy to go hand-in-hand with it. Ultimately, companies may need to re-engineer their entire operational structure to accommodate GDPR, so they may need insightful strategic counsel to help them.

6. Start now, not later. Finally, don’t forget that GDPR kicks in on May 2018. CDOs potentially face a long uphill task, so starting now is key. Like the proverbial bird, the company that starts early will catch the compliance worm and the market share that comes with it. The tools are available. Last year organisations could afford to theorise – we think now is the time for action.

 
Andrew Joss, head of industry consulting EMEA at Informatica