Friday, November 11, 2016

Prototyping GDPR

This blog relates to the technology of privacy (seen metaphorically by many as the elephant in the room). The blog explores privacy stakeholders' many and varied points of view (metaphorically described by this familiar old elephant fable).

by  Dale Smith, CIPT

From one vantage point, the implementation of GDPR compliance appears to be well underway. What corporate privacy professional hasn't gotten busy in planning for, participating in, or completing the likes of readiness assessments, impact assessments, risk assessments, data mapping assessments, DPO implementation planning, and related corporate top-down studies? IMO, such studies are absolutely essential, and the fact that many GDPR-exposed data controllers and processors will implement and benefit from their findings augurs well for a successful GDPR transition.

From a top-down vantage point, as the assessments reach completion, the GDPR job feels pretty much done.  Next up, just get the IT guys in here and make it happen.

Make what happen?

IT supports and manages your organization's realtime data interface with your data subjects. That's where fresh personal data comes from. That's where GDPR-compliant notice will need to be delivered, appropriate consent will need to be gathered, old and new data subject rights will need to be presented and managed, and where every privacy touch event will need to be logged for later reporting. Your data subject interface is the place where the GDPR compliance rubber meets the road.

Tasked with making it happen, IT staff will likely look to you (and the fruit of your top-down research) for detailed requirements, specifying exactly how existing operations will need to be modified. Equally likely, the output of your studies and assessments will not have generated a crystallized set of specs.

It's an awkward moment. While you do indeed know much about the GDPR elephant in your room, additional key input will be needed from privacy, legal and consulting resources, DPA and DPO interests, CEO, HR, IT, operations, and perhaps even regulators, before the final implementation can be completed, tested, and deployed. IT pros will remind you that IT implementations based upon arbitrary specs most often end poorly.

So the question is ... how does your implementation team keep the project from stalling at this point for lack of concise requirements and specs? The answer is to use a compliance prototype to focus the process for completion before 25May2018.  More specifically:

1.  Early-on, employ a prebuilt prototype or model with GDPR-compliant functionality already built in (a.k.a. Privacy by Design).  

2.  Select a model that closely mirrors your organization's actual GDPR-exposed data subject touchpoints and data life cycle.

3.  Share your model with your GDPR implementation team so that members can focus on it, visualize the final result, and work together to progressively tailor and detail the generic model into a completed solution.

4.  Use the model to cue the need for expert input from individual team members.  Keep the model visual to allow all to see "the big picture", while also highlighting the need and context for individual expert input.  

5.  Use, tool and retool the maturing model as necessary to define final requirements and tightened specs for IT implementation

The takeaway ... using a PrivacyCheq GDPR model, implementation teams can start with a generic Privacy by Designed solution, focus quickly on what is already in place, assess what remains to be done, then coordinate talents and responsibilities to forge a final GDPR implementation for the enterprise.  See it in action ... click here to schedule a live demonstration.