Ignorance

How to Run a GDPR Project

First: If you think that as a cybersecurity ‘expert’ I know how to run a GDPR project a) you can’t be that familiar with GDPR, and b) you have not read any of my previous blogs.

Second: If you have read my previous blogs and clicked into this blog hoping to get advice on how to run a GDPR project, you weren’t ‘listening’. At most I am a first conversation and a pointer to your next.

Then again, would you be reading this right now if the title was; “GDPR: No Idea What I’m Doing, But Here’s Yet Another Opinion.”?

So like everyone else on this little regulatory bandwagon – with the possible exception of privacy lawyers – all I have are opinions, and what I hope is a little common sense. Here in the UK for example, the GDPR is just an expansion of the Data Protection Act of 1998, which in turn was a consolidation of previous acts, some dating back to 1984. And if that’s not enough, ‘The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data‘ published in 1980 by the Organisation for Economic Co-operation & Development (OECD) contained many of the basic tenets upon which the GDPR is predicated:

  1. Collection Limitation Principle;
  2. Data Quality Principle;
  3. Purpose Specification Principle;
  4. Use Limitation Principle;
  5. Security Safeguards Principle …and so on.

That means privacy lawyers have had 37 years to get good at this stuff and pass it on to all fledgling privacy lawyers. The rest of us may have some knowledge, but this will only ever be enough to overlap with the legal profession. This overlap will then hopefully enable us to translate the lawyer’s legalese into a language relevant to our respective departments. This is actually critical to GDPR implementation as lawyers do NOT have the final say, it will always be a negotiation.

Why is this not enough? Why would any non-lawyer even want the task of applying GDPR’s Recitals and Articles into a business’s specific context? Do you think you’ll make enough money to retire before you’re discovered as an incompetent? I have never seen a clearer case for a team effort.

The GDPR Implementation Team

  1. The Lawyer – For some reason everyone assumes that when I say lawyers should lead the effort, they come back with expressions of horror. “Lawyers can’t project manage!”, “Lawyers can’t operationalise GDPR!” and so on. By lead, I mean setting the goals and objectives. You know, leading, not managing. Only lawyers are truly qualified to provide proper context, so they should make their case first.
    o
  2. The Salesman – Like it or not, GDPR will have an impact on your business. Leave the sales team out and you have ruined any chance you have of making that impact a positive one.
    o
  3. The Marketer – As with the salesman, there is no reason that ‘compliance’ with GDPR can’t have a positive impact on an organisation, even its bottom line. The marketing / PR spin is the face of your efforts.
    o
  4. The People Person – Sounds better than the HR person, but I have never understood why these folks have so little part in projects like this. They are the Keepers of the Culture, use them.
    o
  5. The Technologist – While there is very little directly related to technology in the GDPR, it’s clear that technology has a huge role to play in its implementation. There is not compliance without the IT team.
    o
  6. The Project Manager – This one needs no explanation
    o
  7. The Cyber-Peep – Where there is data and technology, there is a need for security wrappers, but this role is no more critical than the others. That’s like saying the wheels are the most important part of a car.

And yes, if there are other departments they should be included too. Privacy cannot be siloed.

What’s missing is something to bring it all together. If only there was an organisational function that took the input from all of these departments and stakeholders and formulated a plan to accomplish the business’s goals! Wait, sounds a lot like Governance, doesn’t it?

It’s already far too late to be proactive, but you have until the 25th of May, 2018 to appear to be proactive. Get your team together and don’t waste this opportunity.

[If you liked this article, please share! Want more like it, subscribe!]

Leave a Reply

Your email address will not be published. Required fields are marked *