Wednesday, September 20, 2017

Bringing GDPR Home – What does GDPR compliance actually look like?

Since the GDPR became EU law in early 2016, a great deal has been written and discussed about how the Regulation will affect large and small enterprises trading in Europe. By contrast, very little attention has been given to exactly how operationalized GDPR will look and function when it daily serves real citizens in the real world. With the countdown clock ticking steadily towards 25May2018 (a.k.a. showtime), here are some festering key questions that need answering:

Question #1: What are the essential hallmarks of enterprise GDPR compliance that regulators will expect to be in place? At the user interface, will anything need to be changed at all?

Enterprises will be expected by EU citizens to have done something (not nothing). Consider that Recital 1, Sentence 1 of the GDPR reads: “The protection of natural persons in relation to the processing of personal data is a fundamental right.” Clearly, the EU government has set a high standard for citizens’ personal data protection, and it is the law, today. As a population, EU users now have the fundamental right to compliant data protection visually and continually on desktops, laptops, tablets, smartphones, apps, venues, etc. … wherever and whenever their personal information is moved or accessed.

Takeaway: Enterprises ignoring this fundamental right can expect negative attention from both consumers and regulators sooner rather than later.

So … “something” needs to be done … yet no detailed specification for compliance is available (and is not likely to emerge anytime soon). What could “something” be? Is there an answer to this conundrum?

Yes, there is an answer … and it’s a good one: Looked at holistically, and from a Privacy by Design perspective, GDPR defines a strong, solid, fundamental requirement. Very simply, at the touchpoint where personal information is gathered from a user under GDPR, it needs to flow through a dialogue between the user and the enterprise. This mandate is a unique hallmark of GDPR. The old “Post and Hope” model no longer complies.

Under GDPR, both enterprise and user need to participate in turn as transparent notice covering legal basis and policy are displayed, as appropriate consent is informed, negotiated, and gathered, and as individual rights are presented and optionally exercised. In concept, GDPR is all about enterprise and user working together in a touchpoint dialogue to protect personal privacy and build mutual trust.

Takeaway: A touchpoint dialogue meeting these fundamental requirements is not only “something”, it’s a spot-on solution congruent with the spirit of the GDPR Regulation. If/when implemented, it can go a long way towards pleasing both user and regulators.

Question #2: As implemented in the real world, what does such a touchpoint dialogue actually look like?

To visualize it, here’s a working ConsentCheq sample of what a web page data collection dialogue might look like for a fictitious movie website. The sample is operational. Put on your user hat and role play with it. Got notice? Got consent? Got rights? Minimize friction while meeting mandated compliance? Meet DPO/DPA expectations? What’s missing? What’s dispensable? Privacy pro’s comments and suggestions for improvement are welcomed. Email:

Takeaway: At PrivacyCheq, all essential components of GDPR touchpoint dialogues are available today, configured as operational prototypes for specific lines of business and delivery models. Enterprises can quickly leverage these consent management libraries (and associated toolsets) to bring GDPR home with a minimum of disruption, user friction, and re-engineering of current IT procedures.

Question #3: What is a practical set of steps for GDPR-exposed enterprises to take right now to avoid negative attention from EU regulators as enforcement approaches?

1. Decide to do something. Avoid doing nothing.

2. Form a team; focus on what the team believes is most important.

3. If there is no team, or if the team can’t focus, consider employing a “straw” touchpoint dialogue design (pre-built, generic for your industry and business model).

4. Schedule a day to show it to the team.  Perhaps invite your consultant if you have one.

5. Mind the gap. How closely does the generic dialogue fit your specific needs? What looks good and, what won’t do? Weigh the strengths and weaknesses. What is inappropriate? What just requires cosmetic adjustment?

6. Using the toolset, progressively modify and adapt the straw dialogue, morphing in actual corporate policy, actual IT interface connectivity, and ongoing operational infrastructure. Optionally, you may employ a consultant to help with this.

7. Lead the team in evaluating the result against reality. Rinse and repeat.

8. Let the team weigh the result against starting with a “clean sheet” (we'll write this code internally).

9. Execute on a plan. Either way, the team is now focused, a set of real-world requirements are in hand, and future steps are now defined. And you’ve already done something.

Takeaway: PrivacyCheq's consent management solutions (ConsentCheq for larger enterprises and ConsentIQ for SMEs) are Privacy-by-Designed to kickstart your GDPR operationalizing effort.  Request a demo here.

Dale R. Smith, CIPT