Many organizations have taken a phased approach to the EU General Data Protection Regulation (GDPR) to meet the May 25, 2018 deadline. They start with heavily manual processes, then continue with ongoing investments to automate more of the governance processes, as they modernize other parts of their IT environment.
Where does GDPR reside?
Organizations are struggling to identify what part of the organization should be responsible for policy definition and enforcement, and where within the complex IT landscape the required business processes for GDPR should reside. Many organizations struggle with where to implement GDPR, in terms of not just technology and tools, but also which teams within the organization are best suited for managing GDPR compliance.
The answer is not a simple one. GDPR involves fundamental changes to an organization’s business processes. These changes affect how all aspects of the organization behave when interacting with customers and their data. Because this necessitates changing business processes, IT departments are not the only place involved in implementing GDPR. GDPR compliance cannot be enforced simply through new infrastructure tools and policies or traditional security controls.
IT Security Departments
Traditional IT security departments are not well suited to GDPR implementation, due to their habits of focusing on controls and layers of protection. As noted above, GDPR demands changes in business processes to ensure compliance, not just tighter security controls. Traditional CISO roles and teams play a part in GDPR, but in many organizations, they lack awareness of the complex business processes that will be impacted by GDPR.
Data Protection Officers
GDPR requirements for a named Data Protection Officer (DPO) implies that a new organization will be tasked and empowered to support GDPR requirements. To fully implement GDPR, the DPO must have visibility and authority into business process changes, as well as the technology investments needed for implementation and monitoring.
GDPR implementation goes far beyond traditional infrastructure security and controls, and blends with changes in business processes and customer relationship management practices. For an organization to fully embrace GDPR and ensure compliance, a new culture must be created that drives new habits around how data is handled and how ownership of that data is understood. The DPO should be empowered, through her or his budget, staffing and authority, to ensure this new culture is successfully put in place and maintained across the organization.