Living in Miami means we deal with hurricanes. For most Floridians, the response to a Category 1 or 2 storm is to buy enough food for a hurricane party and binge Netflix until the power goes out. A Category 3 means block the windows, and at a Category 4, we’re gone. The problem is that most people don’t do anything to prepare until the Category 4 is bearing down on them and is, say, 30 miles off of the coast. Yes, it’s true, all the Florida jokes are merited.
So what do hurricanes and the GDPR have in common? When it comes to preparations, we’re pretty much all Floridians at this point (even if you aren’t Twitter-worthy.) Many companies have waited until the last possible moment to begin their preparations, and are now scrambling to put together even a passable data security program.
Put another way, we’ve reached the point in GDPR preparations when one of two things is happening: utter panic at how much is left to do before May 25 or a shoulder shrugging resignation because “we’re not going to get it all done.” And to be honest, while that isn’t ideal, at least it’s honest. To look at your progress, honestly appraise it as not perfect, and decide to keep going has the merit of being a realistic assessment of the circumstances. As long as your answer is not to give up, it is far from the worst response to the situation.
Then again, we’re less than a month away from May 25 so, you know, we probably have to do something. But what? With limited time and limited resources, you can’t possibly go from zero to GDPR in 30 days. You have to prioritize, and, as we’ve already discussed, find the appropriate measures for your company.
This is not the time to be starting a long philosophical inquiry into the European Convention on Human Rights, or to draft a white paper on why Privacy Shield should remain a valid structure. This is triage time, and the good thing about the DataSmart Method is that you can do it at any stage in the life cycle of your data.
So here it is, our Procrastinator’s Guide to GDPR Prep:
- Identify – Take a week to conduct as comprehensive a data inventory as possible, paying attention especially to data inflows from clients. These need to be compiled into a detailed document that lists all of the data that you collect. Also be sure to identify all automated tracking and automated decisionmaking that your company uses, because you’ll need to know that later.
- Value – Determine what of the information you’re taking in is the most important, and establish a hierarchy. You can use buckets, you can use color coding, you can even set up one of those Carrie Mathison walls from Homeland. Just remember that, while you’re doing this, identify and (if you can) metatag your data categories to set parameters for how long you want to keep data and what you really need. This is when you have hard conversations, like the one I’m sure many privacy professionals and IT folks are having right now that goes like this: “Do we really need social security numbers? Really? Can we please just go ahead and delete them? Please? Thanks.”
- Structure – Silos, more buckets, columns in a spreadsheet, it doesn’t matter: organize the way you keep your data and assign data subject matter experts to oversee them. You need someone who really understands what you’re doing, what the data is for, and how you make use of it. It doesn’t necessarily mean you need a DPO, but if you don’t have at least one person who knows the entire story of your data, you’re inviting a problem.
- Protect – This is the easiest to say and the hardest to do. But in the next five weeks, think about low-hanging fruit. Are your passwords still “admin” and “guest?” Change them. Do you allow unfettered access to all data by virtually all employees? Implement access controls. Are you storing sensitive data in plain text? Stop that. Are you allowing critical security patches to go uninstalled? Please, please, please stop that.
To the normal list of “Inventory Value Structure Protect” we could add a fifth: Document. Write all of this down, write all of your efforts down, and make a running tally of your plans. The written component of GDPR compliance is among the most important, so don’t skimp about putting this all on paper.
There’s no way that you can start GDPR prep now, four weeks out, and find yourself fully compliant by May 25 – there’s too much to do. But that’s no reason to throw your hands up and say “forget it.” Make serious efforts now, with good advice, and you can at least get the ball moving so that, if a regulator does come asking around, you won’t have to say “GDPR? What’s that?”