May 25th has arrived and with it the enforcement deadline for the General Data Protection Regulation (GDPR). We can all let out a sigh (or scream) of relief.
What happens now (other than some well deserved vacations)? Will May 26th be anticlimactic for privacy professionals? How do we keep up momentum for data protection post-GDPR?
Despite the speed with which companies have scrambled to prepare for GDPR, data governance is a marathon not a sprint. Successful privacy programs are maintained and continuously improved over time.
6 Recommendations for the Post-GDPR World
1. Begin with a pat on the back.
Take some time to celebrate your accomplishments. Take stock of how far you’ve come in developing your privacy program and the success you’ve had influencing business and data-governance stakeholders to devote time and resources to the GDPR project. It’s important to mark the milestones and reflect on how the challenge has helped elevate the visibility of privacy issues within your organization.
Taking stock will also highlight your next steps. Which projects still need to be finalized? Which ones could benefit from some revision and polishing?
2. Evaluate your personnel needs.
Will the same stakeholders be involved in the maintenance phase of your privacy program that were involved in the GDPR compliance strategy and implementation phase? You may need additional legal operational or technical personnel to keep pace with the demands of a privacy program. For example, you may need help completing data inventory and privacy impact assessments. Do you have enough resources to handle individual rights requests, such as access and deletion? Re-evaluate how your privacy and security team goals and initiatives align – it’s important to remember that privacy and security teams need to work together.
3. Double-down on Privacy by Design (PbD).
With privacy top-of-mind in your organization, look for ways to expand privacy within your company culture. This includes Privacy by Design, a process of “baking privacy” into the development lifecycle of products and services.
4. Invest in Monitoring and Metrics.
What controls do you have in place to monitor GDPR compliance, track gaps, and act on issues that are flagged for remediation? How do you currently communicate metrics to data governance stakeholders? Being able to answer these questions will help you increase privacy and data governance awareness while effecting change.
5. Show business value.
Set aside the way GDPR compliance saves your organization massive potential fines. How can you track the business value added because of GDPR compliance? For example, how can business teams leverage your data inventory to make informed business and strategic decisions? How can you track enhanced customer trust because of the demonstration that your organization takes user privacy seriously? If you’re looking for an excellent example of how a mature privacy program decreases the length of the sales cycle, check out this benchmark study by Cisco (PDF).
6. Cultivate flexibility.
With all new regulations, there will be challenges and unexpected interpretations. It will be up to your data governance team to keep an eye on enforcement actions, customer demand, and best practices which emerge in your industry. What you learn will help you become more agile going forward.
Congratulations on all you’ve done to meet the challenges of GDPR. But don’t rest for too long! We truly are in the midst of changing tides for privacy rights