Forget the Christmas countdown - there are only two weeks until the GDPR

Steve Norledge of IBM warns against targeting the 'low-hanging fruit' of personal data

IBM UK & Ireland's GDPR leader, Steve Norledge, used his keynote at one of Computing's recent free IT Leaders Forums to warn attendees against adopting an unscalable ‘minimum level of compliance' when it comes to the forthcoming General Data Protection Regulation.

The GDPR will come into effect on the 25th May 2018: just 175 days away, and more like 120 when holidays and weekends are taken out. In terms of real deliverable effort, an IBM project manager told Norledge, that's only about two weeks.

The 25th of May isn't the endpoint - it's a start

Can you get a compliance framework in place and operating in two weeks' time? More to the point, can you get it operating continuously? The GDPR deadline isn't a cut-off date: "People have become focused on the 25th May as an important milestone," said Norledge, "but it's not the endpoint - it's a start… Operationalising will be really important."

The ability to ensure that GDPR processes are sustainable is the key that many businesses have missed. Norledge said, "Increasingly over the past two-to-three months, we've seen rising behaviour where people realise that they can't do everything, and I've heard a phrase: ‘Minimum viable level of compliance'. It's not what I subscribe to, but people are thinking, ‘How do we quickly and dirtily get to compliance on the 25th May?'" He went on to warn, "When you look at the artefacts that are created from this, it's spreadsheets. Excel is doing really well out of the GDPR!"

Small steps towards a minimum level of compliance - ensuring privacy notices are up to date on company websites, and starting to map personal data - are fine, but are they sustainable? How do you keep those spreadsheets alive and vibrant? Norledge said, "Take the low-hanging fruit, but don't box yourself in with processes that won't scale without a spiralling cost."

An ambidextrous approach

To avoid these costs, IBM is advising a two-pronged attack on each of the GDPR's challenges. For example, when it comes to maintaining a record of processing activity (which can lead to the spread of shadow IT), you could take both a top-down (business processes) and bottom-up (technical tools) approach.

The same goes for data subject access requests, which can be handled with a combination of manual processes and technology tools. Importantly, Norledge warned the audience not to forget about security: how can you verify that the person raising the request is who they claim to be? Another concern is the need to make that data, which could be several gigabytes in size, easily available to data subjects; the more easily you can make this information available, the faster you build trust.

Putting data subjects at the core of your thinking is an important part of the new regulation, even if it isn't explicitly stated. We recently spoke to Sheila Jambekar, associate general counsel and GDPR spokesperson at Twilio, who said, "Focusing on trust will take you in the right direction. The spirit of the law is making sure that consumers are in the driver's seat and can reach their data." Norledge agreed, telling the audience, "Put data subjects at the core of your thinking and you'll be able to build trust with them. Consider certain companies that we've seen this week, like a certain taxi firm, who will have hemorrhaged trust."

The GDPR is less than six months away and a strategy are important. Norledge acknowledged that that time limit could pressure companies into taking minimum approaches, but asked again: "How will you make it sustainable?"