Over the last year, I have had the pleasure of hundreds of conversations on General Data Protection Regulation (GDPR) and getting an understanding of the struggles organizations are trying to solve when it comes to the 99 new GDPR regulations. The big challenge is that the EU has remained relatively silent on what processes, applications, methodologies and procedures to apply in order to have an auditor walk away satisfied, resulting in debate over what organizations need to do in order to be compliant and capable. The EU regulators seem to prefer to see what the market will produce and go from there. In other words, they do not really know what to expect and are leaving it in our hands to cultivate an appropriate solution.
What’s in a Definition?
In the data privacy and protection industry, there are many terms we have to understand to help us on our GDPR journey. We kick around acronyms like Readiness, Privacy Impact Assessment (PIA), Privacy Information (PI), Data Privacy/Protection (DP), Privacy by Design (PbD), Personally Identifiable Information (PII), Processing of Personal data (PDD), and Single View of Privacy (SVoP) etc. The challenge is that even if we define them, the different industries and geographies around the world can use these in slightly different contexts. (Queue Web Forum arguments).
GDPR helps a bit by expanding on what to look for that needs to be governed. In essence, “the data you need to look for is a combination of all these viewpoints. It is any information about an individual that can be used directly, or in connection with other data, to identify, contact or locate that person. Such information can include medical, educational, purchasing history, financial, legal, employment records, address, birth date, SSN, financial information, social posts, photographs, and lifestyle preferences. The question is “What is damaging to the individual” and is the data provided, observes or derived and likely to identify the individual.
Article 4: For the purposes of this Regulation: GDPR States:
(1) ‘personal data‘ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
How to Make Sense of the GDPR Challenge
I like to think of the GDPR challenge, as three distinct building blocks that need to be addressed if want to be successful. Let us use the example of opening up a new GDPR-themed Kitchen (sounds awesome, right?).
1) Before I even open my doors I have to get my legal house in order. These are the type of things needed to run any business – like getting a liquor license, occupancy and safety registration and insurance.
2) Next I have to build out my menu for my customers. I may have a head chef, but is all that information like ingredients, recipe, where to buy food, how to cook it, written down or is it only in his head? As a responsible business owner, key to my restaurant success is consistency and commitment to my customers, so it is crucial that their meal comes out prepared exactly as they want it with no odd unexpected alterations. If my head chef leaves one day, then what do I do? How will I know what processes to follow to get my ingredients and cook it the same way as always). Now, this is no ordinary kitchen, this is a GDPR kitchen and there are certain rules I have to follow. For instance, I must now provide proof to the food critic that certain foods are organic, Kosher, have no GMO or Gluten. I also have to prove to him that I know where those foods come from and who my suppliers are. I know my chef knows, but do I?
3) Finally, I have to make sure that my staff know how to deal with my customers. “My customer is always right”, so any additional asks they have for their food must be promptly addressed. Is their soup too cold, do they want a large salad instead of the standard one that comes with the meal. A good trained staff with the ability to respond to my customers’ needs is pivotal to the GDPR kitchen success.
Combining all three building blocks together will not just get you compliance in the eyes of the food critic, but it will get you that Michelin star you’ve always wanted because you’ve proved that you are not just compliant but capable – especially over the long term.
The Checklist to Success
The secret sauce of GDPR compliance is not that complicated.
- Find a partner that understands the three building blocks and how to address each.
- Start with your legal department and get your code of conduct and privacy policies lined up. If you have not done a PIA (Privacy Impact Assessment), I highly recommend it.
- Next, find a solution, not just a framework for building your recipe and your menu items. There are several tools out there that will help you build a menu, but not many that have the menu items, most popular foods, and how to prepare them already built and ready for you to adjust as needed.
- Finally, align your menu to your customer. Ask yourself, if you are serving the right food in the right way to the people coming to your GDPR kitchen.
Now, relax have a seat by the fireplace and enjoy your meal.