(Originally posted on LinkedIn, March 6 2017)
As I mentioned in my first article, I have noted the curious reluctance for many organisations to simply get started on their GDPR compliance, and that they are still looking for budget. I have observed another outcome from the late start that is being made in relation to GDPR, and that is the desire for a ‘silver bullet’. This is represented by the rush to buy something – typically something to manage privacy impact assessments – that could be presented to management as a concrete step to complying with the GDPR.
I have a few – well, a lot – of concerns about this approach:
Article 35 mandates the need to do a data protection impact assessment (DPIA) where there is a high risk to the rights and freedoms of individuals, or systemic profiling, or processing on a large scale. This will obviously require many organisations to put in place processes to ensure that these requirements are met. Guidance and developments will continue in regards to when DPIAs are required and when they are not.
While DPIAs are important, they are one element of GDPR compliance. Compliance is an outcome from doing the right things, and the ‘right things’ are rarely ‘one thing.’ For the GDPR, it includes setting up training, ensuring vendors are properly managed, provided appropriate notices, having a good breach response…and on and on. It is about doing all these things and documenting that you have done them.
The problem is that this is work. A lot of it. And – it requires time, which organisations have begun to realize is in short supply now that we have fourteen months to GDPR coming into effect. I am not sure that a PIA solution is the right way to go unless you are actually facing a volume issue that your current processes cannot manage. There are many things that need to be done, and to really begin the dealing with GDPR (if you are still just getting started), take a look at some of the guidances that have come out. One in particular is from the UK’s ICO, that provides a nice way to communicate the challenge to your management – and make it clear that there is no silver bullet: