Posted: March 9, 2018
How does the GDPR compare to IKEA? Well they’re both European for starters, and while IKEA is #trendy, GDPR is #trending.
With the work I’ve done with clients utilizing our consulting services for GDPR support (which is primarily serving as liaison between the client and our delivery team in the pre-sale phase), I’ve discovered the complex-laden tasks U.S. organizations are facing when it comes to preparing for the regulation. I’ve discovered just how problematic implementing the appropriate policy, procedure, and technical controls can be. I’ve discovered how it reminded me of assembling a piece of furniture from IKEA… without the instructions.
Most of us have either assembled furniture from IKEA ourselves, been a witness to someone assembling furniture from IKEA, or heard stories (maybe horror stories) of someone assembling furniture from IKEA. Don’t get me wrong, I appreciate IKEA, I just hate assembling furniture. And like the stereotypical male, I avoid instructions when assembly doesn’t seem too complicated.
Similar to looking at the photographs on a box of furniture from IKEA and thinking: “this shouldn’t be too difficult”, an organization’s GDPR Team (whether it be led by Information Security, Information Technology, Legal, Privacy, etc.) may look at GDPR and think “this isn’t too difficult for us to handle internally.” Then you open the box…
And you find an extraordinarily large number of components that have been packed to the brim. With GDPR you discover Data Subject Rights, Privacy by Design requirements, Privacy Principle requirements, Data Mapping requirements, etc. You discover that GDPR touches more departments than you realized. You discover that maybe it’s a bit more than you anticipated, but you carry on without instructions.
You begin assembling the furniture only to discover halfway through that you’ve implemented a major component backwards, and the unit won’t function with it that way. What do you have to do now? You must backtrack your current progress to the step where that piece was applied. As an organization, maybe you spend countless hours of personnel time developing policies and governance in accordance with GDPR, only to find a mismatch between said polices and your operations and/or technologies. Maybe in your policies you’ve missed a key exemption that applies to your organization’s operations. What do you do? You backtrack your current progress and painstakingly rewrite your polices and governance.
What about when you’re nearing completion of your furniture item only to discover the package didn’t include all the necessary screws to attach the final piece. What do you do next? You email or call IKEA and have the missing pieces shipped to you and endure the wait; or you settle for an incomplete item of furniture because you don’t want to hassle with it anymore, but you think to yourself: “next time, I’ll count my pieces first”. I Imagine a similar feeling comes over the GDPR team of an organization when they perform data inventory and mapping late in their process only to discover several instances of data not being protected by a previously implemented data security framework. Ah… the frustration, except fixing this won’t be as simple as emailing customer service. Nope, back to square one.
If you’ve run into problems like the ones mentioned above when assembling furniture, you’ve probably wished you could start over and take a bit more time to review the instructions. I imagine there are several organizations down the path of GDPR and wishing they could start over. Well, you can. You can hire help, you can bring in consultative experts. Using a consulting firm to support your preparation for GDPR is not only like assembling a unit of furniture with the instructions manual, it’s like assembling a unit of furniture with the instructions manual for the second time (although it’s really the first time for your organization):
Jordan Eisner is the Director of Sales for CompliancePoint’s Customer Engagement Practice Group which provides consulting services for organizations dealing with privacy regulations such as the GDPR and the TCPA. He’s worked with hundreds of organizations on a variety of initiatives and is passionate about finding the right fit for each and every client. Jordan is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals (IAPP) and a graduate of Georgia College & State University where he received his Bachelor’s Degree and Master of Business Administration. He’s a proud Atlantan and enjoys spending time with his wife and son.