The general data protection regulation will come into effect on May 25th, which underlines the importance of establishing a strong data culture within each company.
For Thibaut De Vylder, CEO of dFakto, the findings are not appealing: “Many organizations are still doing gap analysis, and too few have started the actual shift to implementation. It is only the implementation planning and rollout that makes it possible to understand the scope of the work to be performed.”
In this type of regulation activity there are three obvious phases: “Assessment”, “Implementation” and “Operationalization”. Currently, all the activity we’re seeing is organisations focusing primarily on the assessment, especially focussed on legal analysis of the contracts of their customers, focussing on the right to use the data, etc. At the same time, security specialists analyze the infrastructure, the network, the way the data is stored, along with many generalist consultants help to produce of the gap analyses between the current and target regulatory compliance situation. The purpose of all these typical analyses being that each company makes only an inventory of the management of personal data within their activities.”
Beyond the theory
Aligned to these three types of assessment actors, there are tools to support their outcomes, but these are constrained to the theory rather than the practice of actionable GDPR. “Hence the interest to move past this to the action stage,” continues Thibaut De Vylder. “There are implementation guidance solutions, such as GDPR360, that are designed for lean simplicity and are particularly designed for tracking the tasks to be performed, and associated risks. In addition, controls are carried out on the basis of the data deemed sensitive and which will make it possible to detect the noncompliant data and suggest the precise actions to make them conform to acceptable tolerances.”
The goal is to facilitate & drive a true data culture: the lean nature encourages each employee to contribute and become a “data citizen” in the company and seamlessly take on his or her responsibilities in relation to the data. Further regulations such as e-Privacy will only reinforce the requirement for these responsibilities.
A strong signal
Nevertheless, it is clear that “there will be a transitional period, the communication at the base was not necessarily very clear,” says Thibaut De Vylder. “GDPR is a good practice and sends the signal that we will not be able to do anything without asking people for their consent. The digital image of people is increasingly used for decisions that concern them. Hence the importance of restoring the management of this image to the people in whose hands belongs.”
Source: Thibaut De Vylder interviewed by Olivier Clinckart translated from http://www.infosentreprendre.be/conseils-it/bien-aborder-le-virage-du-gdpr