With 6 months to go until the GDPR steps in, it is time to shift your focus from general risk mitigation to risk prioritization.
Know Your Endgame
Identifying, assessing, prioritizing and mitigating data protection risks. That is what GDPR readiness work is all about.
However, with so little time left and so much to get done, it is easy to skip straight to mitigating the risk of administrative sanctions. While this course of actions is certainly necessary, it has two major flaws.
What Risks Can You Live With?
1 Flaw #1: Your ultimate GDPR risk level is determined not by the risks you have taken care of but by those you have yet to tackle. Despite all your hard work, it is highly unlikely that your company can be fully GDPR compliant by 25 May 2018. This leads to the question: what risks can you live with? In order to answer that you have to know what risks you are up against.
2 And so we get to flaw #2: Administrative sanctions may not even be your biggest risk. Think: interruptions to your service, corruption of data, decline in customer trust, inflexible services… these issues may initially appear small but can, in practice, cause large damages to both you and your clients.
This leads us at D&I to believe that instead of mitigating every risk you come across and hoping you have time to fix them all, the key to GDPR success lies in prioritizing your work. Here are a few of the points we tend to focus on:
Risk: Sanctions or client distrust due to insufficient proof of data protection work
Solution: Accountability check list – The GDPR summarized in one word: “accountability”. Ensure that you have a clear and thorough step plan on how to get your documents and processes in order so that when your clients or the regulatory authority come knocking on your door you have something to show for your work.
Risk: Damages due to service provider actions or omissions
Solution: Processor management controls – With service providers playing such a key role in the processing of your data, keeping them in check is a top priority. To do that you need data processing terms, processor selection criteria, and audit processes – just to name a few.
Risk: Damages caused by human error
Solution: Awareness training and allocation of responsibilities – Not everyone has to be a data protection expert, but everyone needs to know (a) when to ask questions, (b) and whom to turn to.