Procrastination and GDPR

Author: Clarip’s Director of Sales

“I will stop procrastinating tomorrow!”

A lighthearted observation on human nature to be sure, but such an adage could aptly be used to describe the vast majority of us, as we face deadlines, demands, and tasks that seemingly have to be completed immediately. In my experience as an educator, I would oftentimes give my students only a week or so notice before asking for a 10+ page paper. Amidst all of the moans and grumbles, I would then posit this query: “If I gave you a paper that was due in 60 days, what day – if you were truly being honest – would you likely start? If you say any day other than 59, I have a bridge in Brooklyn to sell ya!”

Procrastinating seems to be hardwired in our DNA (see Y2K, New Year’s resolutions) and so it seems to be with GDPR as well. However, for those of us in the IT Security and privacy realms, May 2018 and the ultimate enforcement of GDPR will be here shortly – as of today, we have a bit more than six months! As such, expediency is critical, but budgetary and time constraints remain all too real. In short, what can one do to make sure that your company is in compliance when May 25, 2018 arrives? Here is a brief primer:

1) Assess your data – Perhaps the most important – and VERY FIRST STEP – that you should take is an overall assessment of the type, size and scope of your data collection. Ask yourself if you control sensitive data, either on employees or more importantly, on your consumers. Also, make sure that you fully understand how your data is housed and with whom it is being shared. You must complete step 1, before you can proceed!

2) Process and Procedure Evaluation – once you have assessed your data – and recognized HOW MUCH sensitive information you control – it is imperative that this data is properly structured and handled. In addition, establish a clear delineation of WHO has access to sensitive information and how it is shared. Finally, you need to assess the sovereignty of the data – should it be housed in the US, EU or elsewhere.

3) Privacy by Design – With the approach of GDPR, more and more (AND MORE) companies are recognizing that privacy is a challenge unto itself. Although traditionally housed within either HR, IT or even Legal, privacy – and the inherent customer expectations’ therein – will likely necessitate a full time CPO or virtual DPO. The upfront costs may frighten some but the long term value is undeniable as the focus on “privacy by design” is here to stay. For more information, visit us at www.clarip.com.

4) Triage – leadership on this is imperative – you must prioritize compliance and triage the necessary remedial measures. That is, of utmost importance is consent management (opt-in/opt-out) and the rights of customers to access their data. In addition, continuous testing of your systems, whether monthly or quarterly, will ensure that you discover problems before regulators do. Finally, Privacy Impact Assessments (PIA) are extremely valuable.

5) Plan and Insure – make sure that you have a plan in place in the case of an incident or breach. “Those that fail to plan have planned to fail,” is what my father used to tell me. Such is the case with GDPR as well – make certain to allocate financial resources in the event of a breach and have a strategy in place as to how to address it. Finally, consider buying an insurance policy against the possibility of a breach – so called “cyber insurance.” The best offense is oftentimes a strong defense!

For more information on GDPR and “privacy by design,” please visit us at www.clarip.com.

More from Clarip:

Are you ready for the new CA privacy law? Start preparing compliance efforts with Clarip for the California Consumer Privacy Act. Enforcement starts January 1, 2020 so better start planning funding in your 2019 budget now.