The race to the bottom has come into full swing. In the past few months, we have often pointed out how GDPR compliance was being snubbed by the vast majority of businesses, or rather, how GDPR still remained a complete unknown. Now, a little more than a month after the entry into force of this regulation from the executive point of view, it seems that the various alarm bells are beginning to ring, certainly also as a result of the scandal that has hit Facebook.

We are not here to explain (for the umpteenth time) what the new European privacy regulation requires; let’s try to understand whatcompanies must actually doto comply. Knowing the regulation, what it requires and what it entails is certainly the starting point to be able to act. It is not just a matter of reading the text of the regulation, but of actively starting with preparatory work. In gaining awareness and awareness of the requirements of the regulation, it is essential to understand that this is a long-term projectand must be structured as such. Therefore, compliance with the standard must be a function of the company’s core business objectives. In our view, at this preliminary stage, management teams should ask themselves questions such as:

  • What is the goal the company wants to achieve in the immediate term? What about five to 10 years from now?
  • What (personal) data is needed to achieve strategic business goals?

Once the answers to these questions are found, the gap detectionand analysis phase begins-from the English GAP Analysis. It is then necessary to document what personal data the company holds, where it comes from, and with whom it is shared. It is important to identify and classify all the personal data that the company collects, processes and stores. Next, we move on to identify the degree of completeness of the compliance measures currently in place, i.e., we perform a gap analysis, the distance (GAP) that actually exists between the actual situation and what the regulation requires. In this activity, not only the technological/computer security aspects will be taken into consideration, but also the contractual/regulatory sphere and, consequently, all those fulfilments that will not disappear with the application of the regulation but which, on the contrary, will become its basis. The result of the GAP Analysis is a punctual description of the missing elements to close the aforementioned gap.

At the same time as the information gathered about the data processing activities in place and the corresponding compliance measures, it is good to also be aware of the risks, i.e. to identify the high-risk gaps that need to be filled immediately, thus defining an order of priority for compliance. In a nutshell, you’re going to create a roadmapor action plan that should include all the activities that need to be completed by May 2018, but also all the other actions needed to ensure long-term compliance.

All that’s left is to implement the defined actions. However, when taking action you need input from different teams, both internal and external to the company. We will clarify this aspect in a later contribution.

To be continued…

Sara Avanzi