GDPR is NOT an IT project, it is a Complex Change Program!

18 September 2017

Insights

The General Data Protection Regulation (GDPR) will be applicable 26th of May 2018

Many organizations have initiated preparation and improvement initiatives to ensure compliance to GDPR. The complexity of GDPR poses the challenge of how to address the requirements; some regard it as an IT project since it (partially) relates to information stored in systems and applications. Others regard it as an Information and IT Security Initiative driven by the need to protect information. 

We at Ascend believe that in order to reach GDPR compliance, there are several functions and areas in an organization that need to be involved and interact in the change journey. Only working together in coordination can an organization ensure to avoid potential fines and implications to the organization's brand.

As an example, see the request below from a former employee, requesting information to be deleted that lacks any legal basis to be stored or further porcessed:

A “simple” request of deleting information has an impact on several functions in an organization:

  • All departments need to know what information it processes, why it is processed and how. For employees, this pertains in particular to HR, while it also applies to Sales and Marketing when information is related to a customer.
  • IT needs to be able to say in which applications or systems the information is stored (and for what purpose)
  • Procurement needs to have contracts in place to assure any 3rd party deletes required information
  • Managers and employees need to be aware of the GDPR regulation in order to prevent developing and storing sensitive content
  • ‘Servcie Desk’ needs to log the request, follow up and provide an answer to the individual within the required timeframe
  • Legal advisors need to ensure that all of the above mentioned complies to regulation to avoid violation of the same.

To prepare, plan and implement changes required by the GDPR regulation, there is a need for a Cross-Departmental Change Program or a Transformation Program. Wouldn´t you agree?

Indeed, the vast number of dependencies within the GDPR initiatives related to policies, ways of working, IT and training initiatives put emphasis on central coordination. This would enable a more cost-efficient approach and at the same time reduce risk since this Program for change follows up and coordinates the implementations across all departments in the organisation.

Hence GDPR should not be deemed as an IT or Information Security project, instead a Program of Complex Change  that needs to address all areas and departments in the organization.

How have your organization addressed compliance  to GDPR? And what benefits or risks do you see with your selected approach?

 

Learn more about the difference between a change program and a transformation program - click here