By Edward Hansen, Business Architect.
With the ever-so ominous date for the commencement of the GDPR closing in, it is important to remember the large, friendly letters of the Hitchhiker's Guide to the Galaxy - "Don't Panic!". In fact, panicking is the worst thing organizations can do up to 25 May 2018 and here are 3 reasons as to why:
- Knee-jerk reactions do more harm than good
- No one likes tyranny
- There’s nothing as permanent as a temporary solution
1: Knee-jerk reactions do more harm than good
As mentioned, the absolute worst thing you could do right now is to panic. All that would encourage is a knee-jerk reaction in the form of a "we just have to be compliant" mindset which would really do more harm than good. Instead, you should be thinking in terms of how you can use this as an opportunity for growth and improvement for the organization.
It is a given that you must document the systems and processes that handle personal data in your organization. Instead of aiming for the minimum requirements, shift your perspective to turning GDPR compliance into a value-generating activity. Knowing how your processes, systems and data are connected will help you with invaluable scenarios and What-If Analyses here and now.
Additionally, the information you generate could be used to identify business opportunities by building Business Ecosystems, Customer Journey Maps and Capability Models - giving you strategic mandate you need by involving stakeholders at the strategic level.
Think of the outcome instead of the output. The output is GDPR compliance, but the outcome can be so much more for example discovering markets for new products and services, streamlining product and service delivery or cutting down on redundant systems in your organization.
2: No one likes tyranny
It may seem perfectly reasonable to set up a new business rule, policy or control in place to prevent unwanted actions, but at a second glance, it can give rise to more problems than solutions. It's already hard to make people comply with existing controls - adding, even more, is not going to make it easier.
People have a natural aversion to being micromanaged, controlled and told what to do. Therefore, it is paramount that new rules, policies, and controls from the GDPR are merged into the ones that already exist in your organization. Additionally, you should make a point of explicitly communicating the importance and value of those rules, policies, and controls by being transparent with regards to your basis for implementing them whether it is to avoid becoming the victim of a serious crime or improving your bottom line.
Finally, make sure to include all the stakeholders in the process. Few things feel worse than the impression of not having your opinion heard while being forced to follow rules from the top. The people performing the day to day business processes and activities are your best information source for securing the business processes and activities, so make sure to include them in for example workshops and information meetings. This way it becomes a collaborative effort, which also brings the added benefit of not having your rules be "forgotten" or circumvented.
By establishing a single platform that the whole organization can use to establish a common understanding and consensus you can alleviate misunderstandings and decrease organizational tensions when new initiatives or regulations are implemented or must be adhered to respectively.
“Plans are worthless, but planning is everything”
3: There is nothing as permanent as a temporary solution
To Quote Eisenhower: Plans are worthless, but planning is everything. The solution you set up to handle the EU GDPR needs to last for a long time and will contain a lot of data. Therefore, it cannot be a loosely glued-on patchwork of semi-temporary projects, initiatives, and controls.
Nobody can anticipate data-breaches, ransomware attack or other loss of data, which is why you must be prepared for the unexpected. Making standard operating procedures and action plans are a way of mitigating and preparing for these unforeseen events.
The stringent data breach notification standards in GDPR does not leave room for "plan as you go". Having a standard operating procedure for unexpected events or at the very least having prepared something e.g. having a formulated plan, can make the difference between getting a rap on the knuckles or a massive fine setting you on the verge of bankruptcy. But, importantly, those procedures and processes must be maintained over time.
It is difficult to make predictions, especially about the future. Very few people expected the impact that cloud solutions would have in our everyday lives 10 years ago. In the coming years technology will surpass even our wildest imagination and at the heart of technology, we have information. Because of this rapid pace, it is imperative to constantly update and maintain the risk analyses, rules, policies, controls, processes and procedures you implement to prepare yourself for that unfortunate event. This is why new technologies ought to be continually evaluated for their security and usefulness and new data sources must be considered for the risk or possible value they can bring you.
Maintenance of your GDPR initiatives is what is going to consume the bulk of your compliance resources long-term, so make sure to plan ahead. This makes it imperative that any-and-all information that relates to or could be useful for the GDPR initiative is stored on a general and accessible platform. A general and accessible platform provides the opportunity for re-using and easily linking across all the available documentation instead of having to maintain isolated islands of knowledge.
Don't Panic. Make a thought-out plan for your organization, not only focusing on the output of compliance but the outcome of bringing value to your organization. Remember to integrate any new initiatives you set forth thoroughly into existing initiatives in your organization. And finally, remember that you are going to be maintaining and building upon your projects, initiatives, and solutions for many years to come so make sure to implement a general and accessible platform. You wouldn't want your foundation built upon sinking sand rather than solid rock, would you?
So, in short:
- Plan – for output and outcome
- Integrate into daily operations and processes
- Communicate the value and collaborate - Don’t be a tyrant!
- Build to last
We, of course, recommend using QualiWare for handling the GDPR and Information Architecture. Our Enterprise Architecture solution comes with everything You need to comply. Furthermore, it enables You to take advantage of the vast information to make smart decisions on day to day operations as well as long term strategy. The collaboration aspect of QualiWare enables distribution of GDPR responsibilities with predefined workflows and notifications when actions are required. All within one system.