The Soccer World Cup Finals And Its Unlikely Similarity To GDPR

By Nigel Tozer

At this point, you’re probably thinking, “How is the soccer (or football – I’m British) World Cup Final anything like the General Data Protection Regulation (GDPR)???”

The actual answer is that it’s a lot more like it than you would think. Both share the need for planning, strategy and the right tactics to win; the heartbreak and long-term reputational damage of losing out; and the difference between winning and losing being dictated by the day-to-day hard work beforehand and in the build up to tournament.

Let me explain.

Becoming 100 percent GDPR compliant is practically impossible. A strong statement, but as the regulation contains too many unquantified prepositions (large, reasonable, etc.), that’s pretty much how the land lies. Or in this case, how the soccer pitch lies. So what do you do about it? I’ve spoken to CIOs, CDOs (Chief Data Officers) and other senior executives on the topic, and the general consensus is that you have to find a “defensible position” for your business, then maintain it, and if you can, improve upon it. This is where it starts to look more and more like football. Apologies, soccer.

Maintaining your defence

Let’s start with defence – your last line of which is the goalkeeper. Your Data Protection Officer is the goalkeeper. They can see the danger unfolding in front of them, but barking instructions to the defenders at the last minute is, frankly, too late. Remember, once that ball crosses the goal line, the referee (or regulator in GDPR terms) calls the shots. This will then dictate your fans (customers) behaviour, and in some cases, their loyalty.

What you want is for your players in defence to have the awareness to see that goal threat developing earlier on, and deal with it as team before the ball gets anywhere near your own goal. In business or public sector these defenders are like your department heads – each having responsibility for their own patch but keeping an eye on the others to help prevent mishaps. Teamwork in defence then is the order of the day. If you speak to some managers (famously Klopp for instance) that defence begins with the strikers and midfielders being aware and closing down threats as “high up the pitch as possible” before the ball gets anywhere near your own goal.  The same for business: the first line of defence must be all the sales people, marketers and HR professionals that are handling sensitive personal data/PII every day.

The opposition

Is your biggest risk the opposition – Hackers United – or is it the threat of an own goal?

If you play any kind of “fantasy” sport (picking the best players for your fictional team), you’ll know that nothing can be perfect or guaranteed. The opposition can have such a moment of brilliance that it’s just impossible to plan for – hackers can, too. Referees can, of course, disallow a goal, but you’re going to have to rely on some good evidence to get this outcome in GDPR terms, and unlike in football (sorry, soccer), you’re going to have to provide this in an indisputable way, for yourselves.

More likely, though, is that you will have gaps in your defence – an unsecured cloud share, poor access controls or a lost laptop – that will cause the damage, with which you will get zero sympathy from the ref. Just as likely is an own goal from an attacking player (sales or marketing) trying to help the team, but just managing to nudge the ball past your own goalkeeper. Some great examples of this did the rounds on social media before the 25 May. When sending out privacy notice updates, a few careless organisations managed to CC their entire customer list, exposing all of the recipients to each other.

Winning the Cup

Is there a World Cup trophy for GDPR compliance? No, and there isn’t a final either of course. GDPR is ongoing. But there is a victory of sorts.

Having a customer (fan) base that trusts you to look after data about them will help you retain customers, and more important, win new ones that value privacy and trust. In addition, you can’t reach your “defensible position” unless you understand the personal data/PII your organisation holds. Moreover, by doing that you can gain efficiencies that provide tangible savings, and drive new business models or improved services for your customers.

If you want to better check how your GDPR “defensible position” stacks up, ask about running one of our GDPR workshops, or contact us now to understand how Commvault can profile your data, and how that will reduce your risk and provide multiple benefits to your business.

You know you should – believe me and every England supporter – you really don’t want to lose on penalties!