All of the recent conversations I’ve had around data and privacy have led to the same conclusion – despite the EU’s General Data Protection Regulation (GDPR) being ratified nearly a year ago, organisations are only just beginning to determine how GDPR impacts them or how much it’ll cost to implement. And the longer they wait, the worse shape they’ll be in.
There is no right or wrong approach to determining the budget for implementing GDPR. But an approach needs to be chosen – and soon.
So what does this mean in concrete terms?
GDPR requires organisations to comply with the legislation and report data breaches. And it’s the senior management who are in the firing line if this doesn’t happen.
But given the size, scope and complexity of GDPR, there’s a risk the regulation will become a black hole for resource. And in an environment where profits are already squeezed, no-one’s keen to be accused of investing unwisely. Given the current maturity of the financial services businesses we’ve spoken to and where these organisations need to be by May 2018, they’ll need to substantially increase their investment to implement the legislation in time or risk being caught out by the regulators.
The EU GDPR: Just a 'tick in a box' or an opportunity to create value?
So where do you start when the end isn’t clear?
GDPR is the first of its kind data protection regulation. It has far-reaching impacts – beyond the industry, geographic or technological borders of its predecessors.
So understanding how to budget for GDPR implementation is a challenge. A starting point is to perform a gap and impact assessment which will define the relevance of GDPR, and a firm’s current maturity against it.
When we recently worked with a Tier 1 British bank and a leading consumer financing business in the automotive industry, we followed an approach where the priorities were defined first, and followed by investigating the unknown dependencies and elements. This approach supported allocation of effort and resources, and delivered tangible quick wins.
There are four key categories to determine:
Known knowns – the things we know
Known unknowns – the things we know we don’t know
Unknown knowns – the things we don’t know we know
Unknown unknowns – the things we don’t know we don’t know
That last category is the killer as the ‘unknown unknowns’ pose a significant challenge to plan and budget for. This is especially true when it comes to performing IT system changes to comply with several GDPR requirements, e.g. privacy by design, changes in consent models, enabling individuals’ rights management and safeguarding personal data assets. You’ll need to conduct extensive deep dives into your organisation’s technological ecosystem to determine the changes required to comply with GDPR.
Addressing these challenges and unknowns will require flexibility from your organisation and senior management in terms of allocated resource. And it’s essential that a significant portion of your budget is set aside to address the ‘unknown unknowns’.