Suddenly I realised, as one who profited handsomely (not in money but in perks’ way), that the whole GDPR compliance thingy is becoming quite similar, all too similar, to the hype that was called The Millennium Problem … too bad we now know how that ended, otherwise an illustrative movie could be made of the latter – now only (?) a documentary review is worthwhile, as history writing. Too bad it isn’t out in the open that despite all efforts then made, actually quite a lot of companies ended up having to hire temps to do all sorts of manual corrections in their administrations due to e.g., spreadsheets [the very things the toughest, most important business decisions hinged, and still hinge on!] going heywire over date fields.
To come back to the Issue … Are you not hit by that, almost sudden, avalanche of GDPR compliance warnings lately, like, the past couple of weeks ..? Is it not a warning that you need to do loads of things now, starting with hiring consultants (call to action; they’re Sales messages of course) this time not of the tech kind – engineers that see a problem, craft a solution and we’re done –, but of the legal kind – profiting only from prolongation of your insecurity.
And ah, there’s the snag! Multifaceted it is;
- One: With some deadline suitably near to instill fear of lurking deadlines but suitably far to be able to still write you up with many, many ticks (per 6 or 3 minutes ..!?) at ridiculous rates, will be written;
- Two: Unlike the patching that was the core solution (after Inventory – you did keep that in appropriate order in your wide-scope CMDB ever after 31/12/00, right ..? Even with some global outpost in the corner writing that down as 12/31/00. What stupid value loss if you didn’t! We’re only 17 years on! Did you really think legacy problems would have gone away by now …!?), we now see there is no solution but just getting compliant with all sorts of stupidly unprofitable, inefficient (and might we add, ineffective! yes if you are realistic, that’s what it is) good-for-nothing overhead;
- Three: The good-for-nothing part — maybe not fully nothing, but oh so limitedly good for anything that you should’ve done already long ago not only for any ‘privacy’ compliance but for effective and efficient IT, -security included.
Following on this Lotus list, indeed there’s a lot of work to be done to become compliant … on the Legal side. On the IT side maybe also, but what needs to be done there, is (re)implementation of sound practices that should have been common daily practice anyway, and when implemented as such, ready; done.
The legal side on the other hand, sees all sorts of enduring challenges, like many cultural changes; no leaning back and await questions for advice to be answered out of hand with “It depends…” / “Come with a proposed solution and I’ll tell you whether it may or may not be permissible”, but for once being actively engaged and delivering definitive answers, and designing, implementing, and carrying out your (Legal) selves reams of procedural stuff. Acting on assessments, acting in communications, acting in control(s), etc.
You get it — the GDPR brings many problems for many organisations, the biggest of the problems being how to manage back the (Legal) consultancy fees… Remember, when data leakage isn’t preventable (as some dunces might still believe, many on the Legal side of GDPR compliance among them – hey they even think pseudonymisation amounts to anything), bad things are bound to happen. When (not if) not already via the avalanche of information requests …
I rest my case now, for you to have time to process the above, get it, and leave you with:
Your GDPR compliance looks much, much worse (this is actually quite good!); Toronto]
[For 20 points, evaluate the risks, e.g., qua privacy, bird strikes, value development; Barça]
