A lot of organisations have run General Data Protection Regulation (GDPR) projects to gather a solution to demonstrate compliance by May 25th earlier this year. Now that May 25th has passed, summer has gone and most projects have closed-down. What is left? What was the outcome?
– Does it mean the compliance is now resolved?
– Do you now get automatic updates to your GDPR meta-data?
– Do you have any plans for improving the quality of the information?
– If May 25th was a milestone, was that the end or the start of a new era?
Now a few months later, we start to see the first cases of leakages; but still we don’t know the fines, and still we have not seen all the legal interpretations. Although it may sound a little like the hype at Y2K, it is quite different:
“Back in Y2K, all prepared with equally large projects, and finally,
the clocks tipped over midnight and the world discovered, the world still existed.
There was no big Y2K global disaster. Then we were in the new millennium, business was as usual”.
With GDPR it has been just the same preparations, but since the clocks tipped over May 25th, there has not been much unusual. But Y2K was just an event; GDPR is a new regulation that will demand attention in future! No-one will know for sure what we can expect to see.
– Hacking groups will be working to find ways into some companies and will only collect and leak the data when GDPR is alive, either to gain profit or stimulate fines.
– Once a leakage is done, it will hit media. This will eventually lead to reputation-damaging incidents.
– It is hard to predict who will be first audited, or first to have a leakage.But it will have an effect.
– Most likely the compliance processes need to improve considerably in the future to stay out of the mess. Once the first fines are given, this will also add to the requirement to keep GDPR compliance up-to-date.
So yes, there has been much ballyhoo about the GDPR and the potential impact. We have passed May 25th and have noticed limited impact, however, we might just be at the beginning of a new era where optimisation will become a need to stay compliant. We often advice people to create a journey with a sufficient set of maturity levels. Subject to industry this does vary. However, it is relatively easy to identify a set of maturity levels like the following:
Ad-hoc (Step 1): This is where interviews and data capture has taken place typically with loads of excels and word documents to capture all processing and controller activities, linking this with free text to services, systems and data types. As most consulting organisations have limited tool experience, this has often been solved in word, excel or simpler point-tools developed for GDPR. Typically this relates to the lowest maturity level.
Mature (Step 2): This is where automation will remove the free text, the word and the excel reports are gone, simply to produce tangible meta-data between Data Subjects, Processing and Controlling Activities and 3rd Parties. The dependencies are collected and visualised in web-based solutions. Although this may still be possible to do with point-tools, it is the divide into digital governance tools where RACI-models are used to democratize data-updates.
Architecture (Step 3): This is the level where GDPR is just a subset of the enterprise information model. This is where GDPR is just one of more regulations, based on the data of the eco-system sharing data across services, customers, servers, databases etc. This allows automatic data flows and full compliance against the IT landscape. This is architectural maturity based on enterprise architecture (EA) or information management (IM). This stage supports democratisation of input to collectively share the burden of all related updates. Far beyond GDPR point-tools, typically we advise MooD solutions for this stage.
MDD Reporting (Step 4): This is the automation of model-driven documents. Remember all the word or excels of step 1; they are now automatically output every night, fully updated! All the 3rd party reports and paragraph 30 reporting is provided by the solution, either as a night-job or as a single-click. The role of the DPO has now changed to an information manager, managing the data quality.
Process Intelligence (Step 5): Linking the ecosystem to process management and workflows is the final step. This will provide the continuous learning and the updated view to “how” processing activities take place. This is e.g. where we recommend Signavio with MooD providing a single portal for managing all of IT – including the GDPR compliance.
So all-in-all, GDPR projects may have closed down. But if you haven’t automated through the 5 maturity steps, then you are not done!
If you want assistance, please make contact.
We power your digital mood!