Sonia Cheng is FTI Consulting’s European Information Governance Leader. In this short video, Sonia introduces some ideas for companies to consider when first tackling compliance with the General Data Protection Regulation.
Quite a lot of GDPR summaries focus solely on the maximum financial penalties which may be imposed for breaches of the GDPR. Sonia Cheng begins, rightly, by stressing its benefits – increased personal control of information cannot be a bad thing.
It would be good, Sonia Cheng says, to begin by making yourself aware of what the regulation actually says. Sonia Cheng’s main focus here is on the positive effect of helping to identify obligations. I would add that reading the GDPR would help correct misapprehensions, not just about the penalties but about things which are easily misunderstood. The implications of consent, for example, are more subtle than the conventional shorthand implies, and even the most cursory read would stop people talking about “citizens’ data” which is not a concept expressed in the GDPR.
That done, Sonia Cheng suggests, do a gap analysis, devise an action plan, and map your data – what data do you have and where does it flow? Legal departments and those responsible for compliance should join forces with the IT, HR, marketing and sales departments to get a picture of how data is obtained and what processes it goes through. Sonia Cheng’s general message is that you cannot manage or control what you do not know about.
I met Sonia last week, as it happens, and it is no coincidence that the occasion was the Sedona Conference cross-border discovery and data privacy programme in Ireland, where the practical response to the GDPR was a major item of discussion. Information governance is not just an empty phrase, and the things which Sonia discusses in this short video have implications beyond mere formal compliance obligations.
Some great advice from Sonia – ignore the hype and focus on understanding the requirements. From there a simple gap analysis will identify areas where work is required. Bear in mind all the controls and best practices you already have to comply with existing DP regulation. Then prioritise – you cannot fix everything at once!
Pragmatic, risk based solutions are required here……