Realize business value from big data with Infosys data analytics solutions.

« GDPR -Managing Data in the Digital Age | Main | VISITOR/PROFILE STITCHING IN THE AGE OF GDPR »

Who should drive the GDPR Program?

Posted by Rohan Kanungo (View Profile | View All Posts) | April 12, 2018 7:15 AM

There is an increasing awareness of GDPR regulations and organizations are coming to terms with it. Having said that, many are grappling on how to structure and execute the program. Why is this a vexing problem? Structuring the GDPR program is not a trivial task. While past experiences in delivering security programs and regulations can provide some guidance, it cannot be replicated in the GDPR scenario. The primary reason for this is because of the nature of the GDPR itself. GDPR is not a 'prescriptive' document, it does not lend itself to a 'check list' that can be deployed. May be couple of years down the line, it could be possible, but not right now. GDPR requires subjectivity and interpretation; 'Risk Management' and proportionate response in accordance with the risk threshold is inbuilt into the structure. Coupled with this is the fact that while the 'intent' of the regulation is clear, there are several grey areas when it comes to contextualizing and operationalizing it to a specific business case. Secondly, data security and protection is in a 'Darwinian' moment. Stakes with GDPR are high. It is being looked upon as a 'role model' in terms of data privacy regulations and in many ways will pave the path for future action in this space. Organizations are acutely aware of this and they are determined to make an informed and calibrated decision on how to approach this situation. The costs associated with a tepid initiation of GDPR will be manifold and will set the organizations' back significantly.

Key Success Factors

What is required to deliver any GDPR program is a high level of management awareness, the right organization, efficient tools, employee education, and an effective implementation model. 

The key success factors for a delivering a GDPR program are -

1.    Alignment to overall Business Strategy & Operations

2.    Decision Making Mandate

3.    Budgetary Control

4.    Ability to drive organization & create awareness 

5.    Ability to execute

We are of the opinion that only a combined implementation model is effective in achieving and demonstrating compliance. Combined efforts are typically required to achieve a clear mapping of regulatory requirements to the entire organization and all its operations, including IT.

We recommend a 'GDPR Task Force' to be constitute under the auspices of the Office of the CEO. This task force will be led by by the CEO and will have representation from all the departments of the organization including the CXO suite and all the business functions - CFO, CIO, CDO, CSO, Legal, Marketing, Sales, HR, Procurement etc.With its wider management focus and with project groups across different functions--such as legal, marketing, and IT--will help with strategic considerations, since it reviews what customer data is collected, how it is used, and how it could be done better to create competitive advantage. This ensures that "privacy by design," as required by the GDPR rules. Privacy by design means taking data protection into account at every step of a company's processes, from R&D and business development to marketing and sales.


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.