I recently attended a GDPR Summit hosted by Microsoft in Redmond, WA along with Valorem's VP of Cloud Platforms, Steve Cummings. The event attracted over 300 attendees from more than 15 different countries interested in learning more about GDPR and it's implications for businesses around the world. I knew Microsoft had been focused on and investing in this important topic, but it was great to see it firsthand. Click here to hear Steve's recap live from the Summit.

 

One of my key takeaways was reinforcement of the fact that this is bigger than GDPR. Regardless of how you interpret or view the regulation, GDPR is a good forcing function to think critically not just about security and compliance, but also important topics like privacy and trust. An impactful point made during the Summit was that even though the subject of privacy is regularly in our headlines today, the earliest known breach in personal data can be traced as far back as WWII when massive amount of personally identifiable information (PII) records were used in nefarious ways. Keeping personal data secure has always been a responsibility for those organizations who collect, store and use it. The threats are simply evolving with the market. IT professionals positioned for success in our growing digital era are creating strategic plans to prepare for next wave business disruptors. GDPR gives organizations a reason to evaluate their data estate and establish or evolve maturity related to data holistically. To that end, achieving GDPR compliance could be viewed as providing a framework for ensuring you maintain your reputation as it relates to privacy.

 

In the rest of this post, I will outline some of the considerations and activities required to address data governance for privacy through a more holistic lens.

 

Elements of Data Governance for Privacy:

  • Policy: Establish risk baselines and communicate them to ensure they are addressed.
  • People: Define a wide range of roles focused on achieving compliance.
  • Processes: Create actionable processes and/or translate existing processes into executable processes.
  • Technology: Use Microsoft’s four-step process for meeting the requirements of GDPR (or just maturing your data practices):
    • Discover: Identify the personal data you have and where it resides.
    • Manage: Govern how personal data is used and accessed.
    • Protect: Establish security controls to address vulnerabilities and prevent data breaches.
    • Respond: Establish security controls to detect and respond to vulnerabilities and data breaches.

As a starting point, organizations need to ask how they are going to solve for the entirety of the GDPR challenge/opportunity:

  • What is the state of the union?
  • What do you want to accomplish?
  • What is your approach to risk (business/industry, scenario/impact, risk tolerance, etc.)?

A lot of organizations are going to have to start with People (building out a dedicated data protection team/owner) and Policy (ensuring documented policies have been established/updated to address the modern realities of cloud, mobile, data growth, data usage and regulation).

 

Once organizations get to a point where they can focus more on the process and technology components, operationalizing this effort should address the following questions:

  • How are you going to ensure ongoing risk assessment
  • Have you prepared (planned and tested)?
  • Do you understand the potential scale of a large data security event?

In closing, GDPR is more than just a regulation, it’s a chance to ensure privacy and build trust. GDPR or data governance for privacy needs to be a part of your broader business strategies, including:

  • Protection and compliance vs privacy and brand safety
  • Privacy as a part of corporate social responsibility

During the Summit there was discussion around how most experts expect GDPR to evolve into a de facto global standard. Whether you believe that or simply believe that this is good practice and “the right thing to do”, I’ll leave you with a quote:

 

Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.” -Winston Churchill