This content is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters outlined.
The Challenges to GDPR Compliance
In this 2-year grace period between GDPR approval and enforcement, we can’t fail to notice that many, if not most companies are struggling to find a credible strategy to achieve a GDPR compliance status by May 25th, 2018. A surprising large share of them have not yet started to plan their GDPR compliance journey, either underestimating the remediation effort inevitably required, or experiencing a form of “writer’s block” where too many challenges are piled up by multiple teams with the ultimate effect of paralysing the kick-off of a compliance initiative. We have witness this latter situation materialising in complex organisations, however fear and aversion to change is experienced by organisations of about any size and complexity: as so many of those are still resisting necessary digital transformation efforts, likely undermining their ability to stay competitive, or even to stay in business, in a not so distant future, it should come at no surprise that those are envisioning the change brought by GDPR compliance with comparable fear and inaction.
Being concerned about data protection compliance is certainly justified: most organisation are not fully compliant with the current data protection legislation which is far less demanding than the GDPR. Even the legislator expected a lot to do for all organisations, which is the underlying reason for which the 2-year grace period was granted. The main point I want to clarify here is: achieving GDPR compliance for most organisations may require an intense and difficult endeavour, but it doesn’t necessarily need to be so if a rational, pragmatic approach is adopted. While it is certainly appropriate as a starting point to aim for full compliance with all the GDPR requirements, in particular in complex organisation this mind-set is likely to result into an over-engineered approach to compliance. Comprehensive as it may be, this approach frequently results into budget, schedule end effort forecasts falling into an order of magnitude unacceptable to internal sponsors and unlikely to meet the May 25, 2018 deadline.
Adopting a Risk-based ApproachThis inevitably begs for the question: how much is enough? How can we find an optimal compromise between a comprehensive and a “light-touch” approach? The response to this comes from your understanding of the risk your organisations faces and, in particular, from the risk appetite it will set. A risk-based approach to compliance does not have to be seen as a shortcut, but rather as a rational way to address the main sources of risk first, leaving the others for a later analysis and subsequent mitigation approach. An approach like this is nowadays somewhat standard when Information Security risk is concerned. It is rare the case in which organisations decide to address all their sources of risk at once within a unique improvement program. Risks are prioritised and addressed accordingly within timeframes and budgets that senior management is willing to accept along with the awareness that exposure to some risks will not be resolved or mitigated for a while. This residual risk exposure is accepted as a necessary trade-off between security of operations and the ability of the organisation to bear the economic burden of implementing the new controls.
Protiviti is often engaged by clients to assess what is the critical information they hold, where and how sensitive it is and how to protect it with a level of security controls appropriate to its sensitivity level. When it comes to GDPR compliance, our supporting effort starts exactly from these same basis. We focus in understanding first where the organisation’s most sensitive data is found and how it is currently protected. This effort gives a very important clue as where the most exposure to data protection risk is found and, when negative outcomes are mapped to the prospective financial damages (e.g. sanctions from a supervisory authority, claims from damages that citizens can file in Courts etc), priorities of actions will be fairly easy, if not straightforward to identify. As an example of decisions arising from a risk-based prioritised approach to data protection compliance, personal data of employees of an organisation may be protected according to a baseline level of protection, while clients’ data may be protected according to higher standards of security, reflecting the superior sensitivity level attributed by the organisation to the latter data set.
An Analogy for ConsiderationAs an analogy, many families have experienced emergency repairs in their home as a result of adverse events. The replacement of a roof may result into a cost that a family finds unaffordable at present which may lead to a “do nothing for now” approach. However replacing the roof only above the rooms that gets used the most often (i.e. bedrooms) may result into an expenditure that is affordable now, leaving the rest of the replacement to a later intervention. A risk-based approach to GDPR enables all organisations, large or small, to prioritise their compliance efforts based on limited timeframe and budget.