I talk to a lot of customers that would love to buy a “General Data Protection Regulation (GDPR) appliance,” and also more than a few resellers that would be delighted to sell one. I think it’s a reaction many of us recognize in life these days – “That looks too difficult or complicated. Can I just pay to get it done?” Well, you can to a point, but that won’t put any distance between you and some difficult decisions.
The challenge with GDPR is that it cuts across just about everything modern organizations do, and it also forces business to think about things it previously hasn’t had to. This is just the first reason of many why you can’t throw a single technology “solution” alone at this troublesome regulation. Here’s my take on the biggest inhibitors to a “Harry Potter” fix for GDPR:
- Business Choices: Right now, your business probably collects a lot more data about your customers than you need to, just in case you can use it down the line. Under GDPR you’re constrained to only collect the minimum amount of data, for clearly defined purposes. You’ll also need an explanation ready as to why you’re collecting it, and what you’re doing with it.
- Training and Awareness: Simple things that the average sales person does today could put you in breach of GDPR, such as blind copying an email to a bunch of prospects at different companies. And in many cases, decisions that marketing used make in isolation will require review by a Data Protection Officer. You will even need to review the privacy standards you apply to your own staff and contractors.
- Legal: There is a lot of talk of AI in the legal space, but we’re quite a way off from that just yet. This means a time consuming review of your own privacy notices (and how you apply them). You will also need to review all of your customer and supplier contracts. Suppliers’ timing and control could affect your own compliance with GDPR if they store or process personal data on your behalf.
- Business Processes: GDPR could cause you to re-think whole sections of your business, with marketing strategies often the first victim. Some businesses with privacy practices that are frowned upon now could even be put out of business if they don’t change.
- GDPR is Ignorant of Technology: The committees that drew up the GDPR didn’t give much consideration as to what was achievable with technology at the time; they just put the individual and their personal data first. They also tried to future-proof your information against technology developments yet to be made. This means the regulation cuts across way too many areas of technology for a “one box,” or even single vendor solution.
There are many more areas than these to consider. I’m only just scratching the surface here. If ever there was a challenge where the real solution is “People, Process and Technology,” GDPR is it. It’s no wonder that the size and complexity of the challenge is leading to confusion and inaction. If you’re a GDPR project owner and you haven’t expanded the working group across each pillar of your organization, now is a great time to revisit its scope.
That said, ignoring the likelihood that your organization will need to make some sort of technology investment isn’t an option either. Due to the scope of GDPR, spending all your efforts trying to fix process issues alone probably won’t be enough. While assessments and process reviews must come first, sorting those out by the end of the year and only then involving IT – and IT operations, of course – will surely still leave you facing unnecessary risk. Not to mention the extra workloads GDPR will place on your staff.
At Commvault we have put together workshops that can help you prepare for GDPR. While we’re (rightly) not proposing that we offer everything you need to be compliant, our data platform works across your whole data landscape and can plug many common holes with regard to GDPR data management. Learn more about Commvault’s GDPR Compliance solutions.