Getting Executive Buy-in for GDPR Compliance

GDPR compliance presents considerable challenges for the tens of thousands of companies worldwide that have chosen to build an OpenStack private cloud (or utilize an OpenStack public cloud) for added resilience, agility, and control. The sweeping change driven by this new regulation will prove to dramatically impact the way that organizations handle and process data, and will likely require Herculean effort in order to achieve compliance efficiently.

While we are currently past the enforcement deadline – which means that the provisions within the GDPR must be followed by all companies, regardless of size or resources – there are a number of companies still working through the ways in which they can feasibly address the tall order that is GDPR compliance.

Lack of Resources to Meet GDPR Compliance

In many cases, meeting GDPR compliance forces a significant change (and often, an increase) in the internal resources charged with organizing and enforcing data handling processes.

Consider a recent survey by Crowd Research Partners, which revealed that 60 percent of businesses would not make the May 2018 GDPR compliance deadline. The reasons? Lack of budget and staff with the knowledge necessary to make the changes required to meet GDPR mandates. This is going to cause most organizations increased angst over the year ahead, as they rush to get themselves compliant. There’s no time to waste. Regulators can levy fines of up to 4 percent of global revenue against an organization found to be out of compliance with key provisions of the GDPR.

The reality is that GDPR increases the complexity of compliance and cloud security, and demands a great deal of control over cloud resources – likely more than any previous regulation or government mandate. If you are running your own cloud, you need to ensure that you can do everything mandated under GDPR on your own, and that may require a significant resource commitment from your organization. That’s where it becomes exceedingly important to loop in your executive team.

Gaining Executive Buy-in (and Budget)

Whether it’s changes for security or regulatory compliance of any kind, organizations don’t like instituting new controls and steps in their workflow unless they are compelled—or at least until the executive leadership establishes GDPR compliance as a priority and a goal. GDPR is a significant business risk factor, and its importance needs to be elevated to the CEO and the board of directors as well as the other high levels of management within the organization. The CISO, Data Protection and Privacy Officer, and Legal and Compliance Officers should also help to ensure that GDPR mandates are managed within the overall compliance framework of the organization.

If you are not receiving the resources or structure necessary to keep the private cloud in compliance, inform executive leadership of the urgency, what is necessary to put the tools, people, or processes in place, and also of the impact of non-compliance. A good, business-driven argument on risk mitigation will go a long way to winning the necessary resources. After all, the executive team is most likely to face the consequences of being found out-of-compliance.

Specifically, set aside time to brief your executives on:

• Why data protection is so important, and how it could impact your business and employees
  • How do internal processes need to change, and how impactful will that change be?
  • What are the market implications? How will customers and/or partners perceive your trustworthiness and diligence through your GDPR efforts?
  • How can you train the entire organization on the appropriate data handling measures?
• State of the state: how you’re currently acquiring, storing, and tracking personal data
  • What are the practical implications for your company and how it operates?
• Your company’s GDPR compliance risks: what practices or processes do you employ that could become problematic
  • What are the most significant gaps between where your processes are now, and where they need to be in order to comply with GDPR?
  • Rogue data storage by individuals (for example, keeping Excel spreadsheets outside of the database, or keeping corporate information in cloud services like Dropbox and Google Drive)
  • Vendor scope and complexity: is your data fragmented across dozens of systems, or is it relatively centralized?
• Decide on an action plan and assign responsibilities so that everyone is in agreement on who is charged with what
  • Who is ultimately accountable for ensuring that the organization is GDPR compliant?
  • Identify any personnel or resource gaps
  • Appoint a GDPR champion (and perhaps a GDPR team to support him/her) within your organization who can manage the various projects and push the initiative forward – this may or may not be the individual ultimately accountable for compliance
• Consult with experts in the field and apply “best practices” for data storage and processing
• Put your plan into action: assign deadlines and update management at regular intervals
• Measure the good & the bad: identify both improvements and declines in process, performance, and operational efficiency

Remember that this exercise will require involvement from key stakeholders across the company; a regulation of this magnitude impacts nearly all departments, and no two departments will experience the same impact. This is more than just an IT exercise!

Your executive team will need regular, periodic updates on GDPR compliance progress. It’s not a one-time project, and will require additional movements and changes as your business and the regulation itself evolve. Schedule standing meetings to provide updates on compliance efforts, emerging risks, and budget/resource restraints to keep the project top-of-mind for your organization. Retaining executive support and interest is crucial to achieving GDPR compliance success.