After last night’s State of the Union, it seems like a good time for taking stock and planning for the coming year. Although it’s unlikely that you’ll be interrupted dozens of times with applause (or boos), taking the time to carefully lay out your data strategy and data security plans for the year is good practice and, in some ways, it might even be mandatory.
We recommend that, when you think about your SOTU, break it up into three parts: an analysis of last year, a statement of what the world looks like today, and a lineup of what you intend to do next. That seems like a simple framework, and it is, but effective simplicty is always better than unexecuted magnificence.
First, figure out what developments over the last twelve months have had a material effect on your business. Has there been a disruption in the industry? Perhaps there was a data breach that shook customer confidence or a ransomware attack that required you to pay money or, worse, customer data.
Whatever the events were, it’s time for a thoughtful examination of what they mean. If there were breaches, have you complied with all regulatory or legal requirements about notification and reporting? Did you categorize the breaches and notify your Data Protection Authority (if you’re in Europe)? Are you prepared to make such a report in 2018 if you’re subject to the GDPR? Answering these questions honestly requires critical thinking and a deep familiarity with your data, your data systems, and your internal policies. If you can’t answer them, you need to learn, and quickly.
Once the retrospective analysis is done, look at what is happening in your business and your industry right now. Ask yourself whether there is an emerging technology or rising competitor causing you to rethink the way you process your information. Ascertain the needs the company has today: shoring up GDPR compliance, finally getting that data partnership in writing, or revising employee agreements to protect that new intellectual property you’ve developed this year. The task is to realistically evaluate what decisions, both strategic and short-term, need to be made, and make them.
Once that is done, set goals for the coming year that focus on data security and data strategy. This step, in many ways, is an exercise in risk evaluation, because it involves determining what negative risk you want to mitigate and what postive risks in business development you want to take.
There are some clear benefits to doing this yearly inventory and planning exercise. First, it gives your business the opportunity to have an ongoing narrative of your efforts to protect your data and recognize potential sources of liability. Next, it provides a benchmark for measuring progress through the year. It’s very easy to fall into the trap of making decisions on an ad hoc basis without thinking about the bigger picture. By having a framework to refer to, you can avoid decisions that conflict with, or worse, undo, a prior decision.
Finally, this process forces you to think about data with an eye towards the future. Planning is critical, both in terms of sucessful data strategies and complying with data security regulations. And a good plan helps to calm concerns of regulators about paying sufficient attention to data security.
Although this is not a quick project, it is one well worth doing. We encourage our clients to treat this process as though it would prevent a lawsuit or an enforcement action, because it very well could.