The global data privacy and protection community is currently preparing for the expansion of the Data Privacy Officer (DPO) role, in preparation for the enforcement of the EU’s GDPR in May 2018. The GDPR provides significant motivation for organizations as a whole to take data privacy more seriously. An important first step is to equip data privacy and protection professionals with the information they need to be effective.
In accordance with GDPR the DPO plays a significant role as the ambassador for GDPR within their respective organization. Achieving effectiveness in the eyes of GDPR is something that the industry is still analyzing and interpreting. However, to make meaningful and valued contributions to the organization’s data protection objectives, there are fundamental elements that DPOs and their teams will need.
The following are five (5) distinct yet complimentary areas we think are surfacing as critical elements to support data privacy and protection objectives.
1. A heavy lifter. You don’t have multiple man years’ worth of budget to search and map personal data flows and keep them up to date. Data flow mapping provides valuable insights, but at scale, is made difficult when you have hundreds of processes to manage. IOR Insight can help you get the data you need and keep it fresh and up to date.
2. Business process visibility. The visibility IOR Insight provides will pay dividends by helping your team identify risk-removal opportunities (e.g., minimization and pseudonymization). Other business challenges will arise and that same visibility will be invaluable (e.g., acquiring a company and need to lay out a consolidated best practice approach, identifying cost/risk cutting opportunities in a business unit, or looking at how your business processes will evolve with a digital transformation).
3. Data intelligence. You probably have at least one tool (or maybe more) that can scan for sensitive data across your environment. That’s part of the solution, but how is the business using the data? Why is it stored where you found it? Where else does this data tend go? These are critical questions you need answers to in order to support your organization. IOR Insight will enable you to paint that picture and then analyze it from numerous perspectives.
4. Data privacy strategy. Compliance is definitely an objective but it is likely not your only objective. A strategy-first mindset makes the IOR Insight platform even more important. Beyond compliance, if your strategy is to establish awareness of data usage, understand its importance to the organization, engage your organization in classifying that data, and manage risks in relation to business imperatives, then you will need a platform to facilitate the tactical side of that equation.
5. Data risk awareness. Part of the challenge we all have, regardless of the size of our budget or organizational interest, is that we must prioritize where we will focus our limited resources. Is it more impactful to remediate risks with vendor A or replace vendor B? Are the data handling risks created by supply chain less of a threat than the concerns found in another operational unit? Which risks are most closely associated with personal data processing? IOR Insight allows risks to be evaluated with involvement from resources enterprise-wide, so you have a clear picture of how those risks are created by or affect your organization’s mission. This reduces the overwhelming number of hours to “get the right people in the room” and manage your risks.
Having these elements in place will make data privacy objectives less daunting and more achievable. They will give leaders the confidence they need to report on their strengths/weaknesses, collaborate with internal (or perhaps external) groups to make decisions, and plan to manage weaknesses over time.