Now that the May 25, 2018 GDPR deadline has passed, I'll admit that I never thought everyone could be 100 percent ready by then. In fact, I imagine that most organizations were not completely in compliance on that exact date. But I hope many of you have started down the path of managing data privacy and protection in keeping with the EU GDPR.
Many organizations that are working to address GDPR compliance requirements do not have all the tools or people needed to accomplish all their goals. Most talk about how GDPR has significantly affected how they do business. And they often say that IT is the hardest hit. As you ponder where to go from here, consider these things.
- All your application systems and data stores must be identified and documented – look into what tools are available to help. I believe if a tool can do 70 to 80 percent of what we need, it's feasible to go in that direction. The other 20 to 30 percent of tasks will take the longest and will be hardest to bring into the fold, but at least you will have met 70 to 80 percent of your needs.
- Interfaces must be identified to understand the data movement. All data stores that include employee or customer data that could possibly contain EU personal data must be identified and documented. All levels of data – including work tables, staging tables and other temporary storage environments – need to be identified and documented. Interfaces could be any programs that move data, including ETL, ELT, etc.
- At some point, you will have to report all this information. The days of thinking of reporting as an after-thought are gone. You need to make sure you can get the information in a format that can be easily reported on and audited. Reporting needs to be addressed at the level required for audits, but also at a level a layperson inquiring about their personal data can view and understand.
- There are challenges in being able to hire or contract people who are skilled with data management and compliance – it pays to understand these challenges. I recommend checking at SAS user groups or meetings, or at DAMA meetings, to find qualified individuals. If your software vendor has consultants, you may need to consider using them to help implement your GDPR compliance process quickly. This could alleviate some immediate pressure.
GDPR compliance calls for good data management and governance
Organizations that have well-established data management and governance practices are in a better position to complete the requirements of GDPR faster. In fact, many of the same principles that apply to data governance apply to GDPR. So, consider any guidelines you've put in place for data governance as a great place to start. In other words, find the goodness that you already have, and take advantage of it.
If you're still not ready, be as prepared as possible with what you do have in place. Consider outlining your next steps as a phased-in approach that will eventually help you achieve full compliance.
In my opinion, something is better than nothing. If you can report on those data stores and interfaces that use or move EU personal data, then you have a foundation. Don’t let your efforts languish until the sky really is falling. Creative chaos can be a stimulating environment that encourages employees to think outside the box. So – get your thinkers together, and get started. Take charge of your response to GDPR.
Download an e-book to see what opportunities and challenges others have faced in working toward GDPR compliance