As the May 25, 2018, deadline approaches for complying with the European Union’s General Data Protection Regulation (GDPR), much of the focus has been on the weight of the regulatory burden it imposes and the size of the penalties it exacts for failing to bear that weight. But that’s a somewhat narrow view; look beyond it, and you can see that GDPR compliance may not be such a heavy lift after all, and also that the reward for achieving it is far greater than many may have imagined.
For organizations that begin their approach to GDPR with a well-established privacy program already in effect, compliance may be more a matter of layering GDPR on to the private-data protections presently in place than one of building a complete program from the ground up. We’ve been engaged in just such an effort at Dell Technologies, of which RSA is one of seven constituent companies. While we’re doing this with the immediate goal of GDPR compliance, of course, we also recognize that there’s ultimately an even larger payoff.
It’s impossible to overstate the importance of this trust. If you’re looking to do business with a company, you want an assurance that they’re trustworthy. Do they take GDPR compliance seriously? How far along are they in their GDPR compliance journey? Can you be confident in their ability to protect your personal data, not to mention the personal data of your customers, employees, and others who entrust you with their data?
This isn’t just about the trust you need to have in companies with whom you’re doing business; it’s about the trust others need to have in you. To that end, you must be prepared to demonstrate that your organization is deserving of trust, that it’s far enough along the GDPR compliance journey to merit the highest level of trust. As you work toward that, you’ll want to:
- Identify areas of greatest risk and thoughtfully plan how to address them. Know what personal data you have access to, where you’re collecting it and how it flows in and out of the organization.
- Determine whether the controls, processes, and governance systems you have in place are robust enough for compliance with GDPR.
- Think about how you’re going to integrate tools for compliance with the governance systems and other technologies you already rely on.
Put a priority on areas that will be low-hanging fruit for regulators: How well you demonstrate through recordkeeping that you’re driving accountability for compliance; whether your organization meets the regulation’s notice and consent obligations; and what you’re doing to support data subjects’ rights to have their data deleted, rectified or relocated in a timely manner.
Achieving compliance is the first order of business between now and May 25 for any organization that’s governed by GDPR. Earning trust is the larger, and ultimately perhaps more important, consequence of the successful effort to comply.
Sooji Seo joined Dell in 2007 as legal counsel for Dell’s Australia and New Zealand business. During her tenure at Dell, Sooji has held various leadership roles in privacy, regulatory compliance and strategic legal advisory support. Sooji currently serves as Dell’s Global Privacy Program Director, which provides a broad range of leadership involving direct support and execution for the design, development, coordination, implementation and ongoing management of Dell’s global privacy program across Dell's global enterprise. This position leads a global team of certified privacy compliance professionals who are responsible to build, implement and manage a best-in-class and standardized global privacy program, in a highly regulated global environment.
Prior to joining Dell, Sooji was general counsel for Hunter Douglas Limited and Chubb Australasia. Sooji has over 20 years of legal advisory, compliance risk management and risk governance, regulatory enforcement and commercial litigation experience. Sooji received her Bachelor of Laws (Honors) from the University of Technology, Sydney and a Bachelor of Computing Science and Mathematics from the University of New South Wales.