BETA
This is a BETA experience. You may opt-out by clicking here
Edit Story

3 Ways To Simplify GDPR Compliance

Oracle

Two global events will happen very soon.

The first will feature teams of grown men kicking footballs around the fields of Russia. Hundreds of millions of people will watch thousands of hours of it on TV, and within a few weeks the world will go back to normal. The second event will go comparatively unnoticed, but it will impact even more people, and for a lot longer. It’s called GDPR, and it’s got companies worldwide on high alert.

At 68 pages and with 99 separate areas of focus, the European Union’s General Data Protection Regulation is a bit of a beast to digest, let alone comply with. Matters once left for IT organizations to worry about—data portability, privacy by design, storage control, record duplication—are now most everyone’s business.

The optimistic would say GDPR is an opportunity—the chance to build trust with customers and strike a blow against less virtuous competitors. But many companies have approached this sweeping regulation as an enormous headache, made better by lying down in a dark room and doing nothing.

That’s not much of a strategy, unless you don’t mind a €20m fine or surrendering 4% of your global revenue. And it’s unnecessary, too, because GDPR is not mission impossible. Here are three ideas for eventually making such compliance easier, well beyond the May 25 deadline.

1. Move Away from Myriad, Disconnected Platforms

Most companies have an enormously messy mix of IT systems and applications—software from one supplier running here, another deployed there, bits of owned hardware, with pockets of cloud infrastructure. Add to the mix application programming interfaces going in and out everywhere.

Some companies have designed it like this on purpose, favoring what they see as the best supplier for each specific need. But the resulting complexity makes it very hard to know everything about all the data you hold—where is it, how did you get it, what do you use it for, how easily can you access it? Questions that, starting May 25, you’ll have to answer when anyone afforded protections under GDPR asks you.

Now imagine unraveling that mess and replacing it with a cohesive IT architecture, whose systems and applications were built to work as a unit, with the data organized so that it’s easier to find, change, transfer, erase, or whatever else you’re told to do with it.

2. Prioritize Security Over Style

OK, so only a handful of platforms, but which ones? Well, platforms big enough to have all the features, functionality, and scalability you will need but also embrace the concept of privacy by design. You want platforms that have prioritized security from the start and make it a priority as innovations are released, plus ones that come with machine learning capabilities as standard to lessen the risk of those pesky humans making mistakes. Partitioning should keep datasets in reach of only people who need access to them, and encryption should render data unusable unless a user is holding the proper key.

3. Understand that Compliance Equals Communication

GDPR is about more than just data. Compliance has as much to do with communication as data, because ultimately GDPR is not simply a piece of static regulation, but also a new playbook for how businesses need to engage with people.

So you’ve got your GDPR team: the IT org to buy and deploy the technologies that enforce the policies; the data protection officer to provide day-to-day oversight; the customer service team to process data requests...great.

Now, what about how they’ll work together? How do requests get received, and where do they get sent? How does data get to where it needs to go? Who records all of this, and how? If you buy into the argument of having a single or only a handful of platforms, then why not get those same providers to help you answer these questions?

GDPR may be new, but how to marry an IT platform with effective processes is not—and few are better qualified for that job than the folks you get the technology from in the first place.

As simplified as these ideas can make GDPR compliance, if you’re not already well on your way, it’s unlikely you’ll be ready by deadline day. But compliance doesn’t start and end on May 25.

Just as companies that are prepared for GDPR can’t think the job of compliance is ever “done,” those that are behind can catch up. Unlike the footballers heading to Russia next month, everyone can come out of GDPR as winners, by taking the simple road.

Dominic Collard, based in London, is a business reporter for Oracle.