GDPR: Notes from HBR Webinar

Though GDPR is EU-specific, it will have a global impact.

Enza Iannopollo of Forrester Research presented her their view of GDPR. Some brief notes and insights or comments, below.

Readiness

• 30% of firms globally say they are GDPR ready. 33% of North American firms say they are ready.
• Driven by B2B demands rather than fear of enforcement action
• Enza was skeptical that readiness was really that high--especially for North American firms!

Suggested approach is to run a gap analysis:

• Focus on high risk data-driven initiatives
• Sensitive data
• Third party involvement
• Cloud and/or analytics

Next, prioritize risks. Then, build upon that priority and execute with the following steps:

• Roadmap to mitigate risks
• Security controls for risks
• Re-engineer essential processes such as consent, re-consent, data subject rights, data breach notification
• Policies and procedures to deal with data rights conflicts, e.g., may not be able to delete data since it could be required to comply with a different regulation
• Can still work towards full compliance post-28-May

Then, maintain compliance, which could be more difficult in the long run. Do this by:

• Develop and test response plan
• Audit the audit mechanisms!
• Training and awareness
• Prepare and maintain compliance demonstration

Consider customer experience is essential; manage for the worse case. Have a PR reaction plan ready to go.

Good data protection enables more things to be done with data, not less.

Overall, this was a useful primer on the bare essentials. Enza's point that firms seem to be approaching this as an opportunity to improve operations and satisfy partner and customer expectations seems a good starting point for justifying this as a business activity. Making a business case for GDPR on the basis of a hypothetical enforcement action is probably quixotic; more sound is that it addresses customer and partner requirements. The recent Facebook-Cambridge Analytica fallout can also be a rallying point for a concerted investment.

Though GDPR is EU-specific, it will have a global impact for the simple reason that it is far too onerous for firms to comply with different standards. They will likely coalesce around the most stringent big market regulations and simply apply them globally, especially since supply chains, data and business are all intertwined across most firms' internal and external infrastructure. Therefore, even non-EU vendors or non-EU subsidiaries of large global firms will likely have to comply with some or all of the GDPR regime. There is nothing new in this: in many fields such as aviation, finance, banking and so on, a single large market regulator can effectively define global standards (e.g., FAA).