At one point in my career, I was responsible for launching massive websites. We’d talk about when and how we flip the switch to launch the new website. At least once during every project someone would ask me who got to flip the switch, as though we would have a dignitary (or them?) do it. But depending on the year, the flipping on of a website was handled through technology and not very dramatic and not with the fanfare the non-technologists hoped for. (Dimming lights? Fireworks? It was New York and it was publishing, so there was often beer and wine and maybe T-shirts after, but everyone went home and slept.)
And now we have May 25th coming around the corner. The other day, I got a picture in a text from a colleague of a can of sardines. It took me a minute to realize the expiration was May 25. So, other than the sardines, what happens? Are we done?
First the bad news: We won’t ever be done. GDPR requires constant diligence for its principles, recurring reviews of the processes we’ve built; ongoing use of Data Processing Impact Assessments; vigilance on how we process, store, transfer, use personal data; communications with our customers; new contractual language and new things to negotiate; ongoing discussions around security and what is appropriate. And of course, the biggest question: What will the data regulators do? Will there be an immediate fine? (My bet is no.)
But now the good news: If you’ve been doing this right and have managed to focus on the concepts of Great Data Protection Rocks and a culture of security, the following things may have happened:
- You have a much better idea of what data you have, where it is stored, who can get to it, and how it gets used. Hopefully you have deleted some data and have additional automated processes to delete data when it ceases to be needed.
- You have processes in place to replace things that were being done on the fly. Maybe there’s some documentation and someone officially designated to help with the processes.
- You know who your vendors are, and more about your high-risk and cloud vendors.
- You have determined what needs securing and made sure you are securing it “appropriately.”
- You’ve got a team of people who understand data protection and GDPR – maybe some new friends and some new project partners. A few of them may not have bought in completely (the people who were “voluntold” to help), but just wait. Something often seems to happen in the doubter’s personal life that makes them get it – and big time. Real examples: Mortgage application reveals massive identity theft that needs to be fixed or they lose the house; soccer coach sends kid’s medical condition info to the whole team’s parents; intern (not at McAfee!) sends spreadsheet of fraternity members’ contact info, but it also contained everyone’s grade-point average.
Perhaps most importantly, your company now has momentum around doing the right thing regarding data protection. And May 25th will come – too soon, not soon enough, or both! – and the lights won’t dim but there might be T-shirts.
It would be easy to forget GDPR’s lessons. In the United States, Monday, May 28th, is Memorial Day, and we pull out summer clothes, take off to mark the start of summer, and remember our heroes. But on that Monday and Tuesday and every day after, Great Data Protection will still Rock, and we will still need to look at data, how it’s used, and how our culture can protect it. Just maybe throw out the sardines if they don’t get eaten beforehand (or leave them on the doubter’s desk as a joke).