For nearly a year now, we’ve been telling you this was coming. We did our best to prepare you for the inevitable. And now that May 25, 2018 has come and gone, I really do hope that we’ve been able to help you get ready.
Ready for what? Unless you’ve been living under a rock all this time, you know I’m talking about the General Data Protection Regulation — or, as we affectionately refer to it, GDPR. As of May 25, GDPR enforcement has become a reality. That means all your GDPR-related plans and processes should (ideally) be in place and every member of your team should know what they’re supposed to do and when they’re supposed to do it.
But you still need to understand that being ready is not the same thing as being done. That’s why I’d like to share some important lessons we’ve learned about GDPR readiness.
There’s No Magic Checklist
I’ve had more than one person ask me for a “complete” checklist they could use to help ensure they’d managed to get everything done. Unfortunately, there’s no such thing. Yes, you certainly could hire IBM — or some other company — to examine and evaluate all the GDPR-related work you’ve done and report back on your status. But there would still be work for you to do.
The truth is, GDPR comprises 99 articles that spell out its requirements. You need to read and familiarize yourself with all of them. Yes, I said all of them. There’s no silver bullet, no shortcut, no cheat sheet. It’s your job to identify the controls that you need to implement based on your organization’s specific situation.
Once Is Not Enough
You need to embed your processes into the very fabric of your work and, above all, you need to make sure those processes are repeatable. That may mean doing internal readiness reviews for every product or service you offer, so you can see how you’re going to keep everything going day in and day out.
It’s not possible to do that with quarterly reviews. GDPR requires considering its obligations in everything you do, making “privacy by design and by default” and “security by design and by default” mantras that you follow from now on. Think about how you’ll review new projects or develop product enhancements, and then take the necessary steps to see that GDPR is baked in. For example, IBM Security Guardium Analyzer is a software-as-a-service (SaaS) solution that can help you locate GDPR-relevant data on an ongoing basis. With it, you set up a repeatable process to identify and prioritize those databases that may be most likely to fail a GDPR audit — so you can take action to help minimize your risk.
GDPR Is a Team Sport
This may be one of the most important lessons I’ve learned as I’ve been helping organizations get themselves on track with their GDPR readiness plans over the past year. You absolutely need to include all the major stakeholders in your planning and decision-making. I’ve seen more than a few situations where implementers aren’t working with program managers, for example, or where the privacy office sets out policies that can’t readily be put into practice.
When it comes to GDPR, you shouldn’t expect to be the hero running down the field in the fourth quarter toward that winning touchdown. Because without your team, you’re going to get tackled.
One More Thing: Remembering Adam Nelson (1965–2018)
On behalf of the entire IBM GDPR team, I want to dedicate the final blog in this series to our dear friend and colleague, Adam C. Nelson, who passed away last month.
As a freshly minted attorney, Adam joined the IBM Security and Privacy Consulting Practice in 2000, where he was among the first to focus on privacy issues and ultimately contributed to three IBM patents that involved data privacy. His patents of 2006 and 2011 were woven into the IBM Total Privacy Management Framework, which our consultants still use to measure the privacy management maturity of an organization. And his Data Privacy Engine patent of 2014 applied artificial intelligence toward managing multiple privacy regulations worldwide.
In addition to writing a number of the blog posts in this series, Adam co-authored numerous papers, including “A technology perspective on worldwide privacy regulations.” A peer-reviewed paper published in the IBM Journal of Research and Development in 2009, it included a worldwide survey of privacy regulations and linked standard technologies as a method of compliance. And it explained the legal aspects of regulations in a way that nonlawyer technologists could understand.
Although he left IBM and came back twice, Adam returned each time with newly developed skill sets. Most recently, he took charge of the IBM International Privacy Consulting Practice. In that role, he evangelized privacy, collaborating with me on developing numerous GDPR-focused assets, including the IBM GDPR Framework and GDPR Readiness Assessment.
Adam was a great colleague and a wonderful individual, always willing to jump in and volunteer to help, even as he was fighting his brave three-year battle with cancer. I will never forget Adam’s great eye for detail — and our humorous debates over the definitions of words we were using as we wrote this blog series together. His impact on the way we approach privacy in this industry was tremendous — especially where GDPR is concerned. And while Adam will truly be missed, his fine work at IBM will live on.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.