So, GDPR has been in effect for just over a year now. (15 May 2018). Was there a celebration in your organization, or is GDPR a bad word? 🙂 )
Many lessons have been learned through the effort of bringing our systems into compliance with GDPR.
I think we can start to generalize from those lessons to identify how our own I.T. systems might benefit from this effort.
Generally, I think there are four broad and very generalized steps to bring your systems in line with GDPR – and to lead to better compliance over all.
- Understand what data you’re holding and where it is stored
- Collect and organize your data so it becomes an asset.
- If the data is managed, and it becomes an asset, you can better determine the effort and value – or the expense – it takes to hold it.
- bringing it in from extraneous storage locations is important. If you don’t move the data, cataloguing it can serve the same purpose. You must know where it is stored so that it doesn’t become a forgotten silo with unmanaged and broken permissions and access controls to surprise you later.
- Determine which services related to compliance with the regulation or management of the I.T. system you can and should centralize.Which monitoring systems do you need to identify changes, updates, access requests, delete requests, and other operations requested on the data?
- Which services are needed to return current status and transactional logs related to the data and these requests?
- Which trigger and alert services do you need to support to notify you of items that are trending in unexpected directions or are out of compliance?
- Understand which applications are accessing that data and prepare a plan to replace them with compliant applications, eliminate those applications that will be too expensive or risky to maintain, or modify the applications so they can be compliant
- Finding a way to integrate your corporate applications with the centralized system of monitoring and compliance can provide you with a single source of application services related to the regulation and flexible applications that can more easily be modified to support future regulations. (e.g. do you do business in the state of California?)
This can take some time. It can take some patience, and it will require a prioritization effort to determine which project to modify first, etc. Perhaps there is someone in your organization that remembers the Y2K effort? Ask them about their lessons learned from that prioritization effort. 😊 I’m not suggesting that the implied urgency is the same… or am I? We still have time before GDPR affects our own little I.T. group, right? Well, maybe not, and perhaps there is some urgency here.
Discussing this path to compliance can be useful. The first step toward being able to achieve a journey is to take the first step, of course, but having a map brings so much efficiency to the effort and saves so many wrong turns.
Use this map to compliance and see if you can liken it to your journey to improved collaboration, or deploying MFA and secure authentication across your organization, or any other I.T. challenge that is in front of your team this quarter.