Have you ever heard of the term ‘analysis paralysis’? Well GDPR paralysis is flavour of this, although not the same.
So far I’ve experienced the following distinct types of GDPR paralysis. What this means is that an organisation cannot move forward, either on their road to GDPR compliance, or their operations are just blocked to do anything due to the upcoming Regulation.
- ‘GDPR let’s wait a bit’ until we are sure we know exactly what the legal text will say. I saw this popping up as early as 2015, when the business called in the legal guys, who advised it was best to wait until the final version of the GDPR was agreed. However what was frustrating, at least for myself as a privacy consultant, is I could see so much that could be done even based on the draft 2012 version, e.g. Processors could pursue ISO27001 Information Security certification on their operations, controllers could have documented their business processes, to that personal data flows could be mapped onto later… etc.. I can see the same happening with the e-Privacy Regulation due to replace the e-Privacy Directive (lots to do with marketing here). It is not ready yet, but we have enough to start preparing.
- The ‘GDPR hot-potato’ – this I came across the first time in the 2016, and since then I’ve heard it happens a lot. The question of GDPR had landed at board level of a rather large B2C business and nobody wanted to own the budget. It took them 8 months finalise which department should own the GDPR project and of course during this time nothing happened.
- GDPR warfare – mainly in industry whereby personal data is their core product. I’ve come across this at least twice in a big way. It is the opposite of (1) in that there is a fight between legal and IT to own the GDPR budget. I’ve seen both situations whereby originally legal had the budget, but IT were better qualified as they had a legal guy as CISO and he understood both IT and the need of legal expertise. The second is where both IT and legal needed to work more tightly together, as each had strengths that were lacking in the other, hence neither could have owned the budget and executed effectively.
- Operational stop! is when nothing can move forward because your legal department inform you that it is not GDPR compliant. Unless you have a middle-man to mediate as concrete bullet-points to balance the commercial vs. the privacy and risks etc., you will end up with war between your marketing/sales and legal teams. It will probably end up with your head of Marketing having a mental melt-down, because they are not able to do marketing according to the GDPR + e-Privacy Regulation. Of course this is not the case, it just requires some new thinking. Inside of Privasee we’ve implemented a Change Advisory Board (CAB) to take this function. This is normal practice in larger organisations as part the IT Service Management (ITSM) process, but not seen as so necessary in smaller business such as ours until now.
Do you have any GDPR war stories to share?