"I've got an opportunity for you," your boss chirps in that telling tone. "The board has requested that you singlehandedly ensure we're GDPR-compliant."
Oh, yes, you can!
The task of making sure your organization is in full compliance with the EU's General Data Protection Regulation may seem daunting, but the good news is there are plenty of resources available. This guide is intended to get you started with strategy, tactics, tips, and potential pitfalls to satisfy the requirements of Europe's landmark data privacy legislation.
And if misery loves company, the reality is that lots of other non-privacy people have been tossed into the GDPR pit by their organizations. While it's often someone in IT or information security who gets the honors, it could also be someone in the legal department or possibly an office manager.
"Very few people are qualified, trained, and up to speed on all the different competencies required with GDPR's data privacy requirements," says Omer Tene, VP and chief knowledge officer for the International Association of Privacy Professionals (IAPP). "Lawyers have tech deficiencies and tech people can't understand laws," but a privacy program needs both to make sure compliance, risk mitigation, and data governance all get addressed.
Regardless of who takes on GDPR compliance, that person (let's assume it's you) will need to involve IT personnel tasked with ensuring data privacy – security, storage, data sharing, and other privacy functions spelled out in the legislation. You'll need to work with business unit leaders to understand how the data is acquired, how it gets shared externally, and which third parties have access to an organization's personal data. Regardless of education or training, you'll need to be well-organized and able to navigate all echelons of your company to get answers and documentation.
But the first step in demonstrating compliance with any data privacy law is data mapping (more on this in a minute), IPAA's Tene explains.
"You need to understand what personal data actually is, what's covered and where it resides within an organization, and how it flows through [internal and external] systems," Tene adds. Regardless of whether IT or infosec personnel are leading the GDPR charge, they'll be brought in to handle the data mapping since it's an IT activity, not a legal one. The task is simply too complex – and important – to be left solely to expensive lawyers.