Several years ago, the Staples Easy Button became a popular advertising gimmick for the office supplies company. Originally just a picture in Staples ads, people clamored for a real Easy Button, so the chain made more than 1.5 million plastic buttons that repeated, “That was easy” when you tapped it.
It’s the kind of magic that company executives would like now to solve their GDPR challenge. Companies that weren’t doing a good job of data privacy protection before this new regulation face even larger hurdles now. And, there seems to be a scarcity of data privacy and legal experts available to help: at least 28,000 data privacy officers (DPO) will be needed in Europe alone.
Personal data protection laws were first established in the 1990’s. But complying with the GDPR means changes in business practices and processes on a far greater scale. Today’s common business practices, like the more sophisticated CRM programs adopted by most companies, contribute greatly to the complexity of meeting GDPR requirements. And, countless measures that companies plan to take to comply are expected to fall short in many cases.
GDPR is catch-up compliance. The data, processes and IT environment of most companies are not structured for these requirements. For example, they don’t know which data they possess is forgettable or how to validate that the ‘forget’ has occurred.
Article 25 of the GDPR addresses the notion of privacy by design, which calls for minimal personal data collection and retention. In other words, collect only what’s absolutely needed for your business so you don’t have to create extensive measures to monitor or forget it.
How often do we all fill out online forms that seem to ask for far more personal data than they’d ever use: name, address, phone, email, age, first pet, color of your house, best man at your wedding, what type of pizza you last had, etc.?
Companies haven’t been careful about collecting information; they ask for everything even if there’s no identified need for it. Once the GDPR is in place, data protection by design will become standard when companies develop future business processes. In fact, data collection and retention processes, with privacy and security in mind, will be part of digital transformation initiatives that improve all parts of business operations, not just compliance.
But, right now, in the fall of 2017, everyone is focused on how to quickly achieve compliance.
There are a number of people and products that suggest really large scale, cumbersome ways to reach compliance. There’s probably not enough time for these and they may represent a much larger investment than is needed.
I envision that GDPR compliance can be accomplished in just six steps.
With a carefully planned and structured approach such as this, along with tools that can help you carry out these steps, you may not need the Forget Button. Instead, after next May, tap the Easy Button and listen to it say, “That was easy!”
This article was originaly published in cio.com as part of the IDG Contributor Network