In our first two installments of this blog series, we introduced the GDPR and CCPA, and helped you look inward at your organization to understand your company’s data protection practices. The grand plan, of course, is to move you from general awareness to restructuring your organization so it can thrive in the new era of digital data protection. That restructuring is the topic of today’s blog.  (And remember, at the end of this series, we’ll be publishing a full Insight on Data Privacy and Protection, so don’t forget to keep checking back!)

If you’ve done your due diligence, you’re reading this armed with a solid understanding of how data courses through your enterprise. You know how it enters, who touches it, what happens to it, where it goes, and how it’s expunged.  You know who is allowed to see it – or at least who is supposed to be allowed – and you understand the controls you have in place to manage it.  And you know what the GDPR and CCPA require in terms of new functionality: consumer contact tools, information disclosures, paper trails, etc.  Now it’s time make the material changes that will establish your company as compliant.

Writing new policies/controls can be time-consuming and complex, but shouldn’t be seen as a crisis.  You’ll probably engage a committee or have a leadership review, run through a few drafts as you find that the initial concept hits some technological snags, and ultimately come away with something robust and streamlined that fits fully with the privacy laws you’re trying to abide. When you’re comfortable with it, implement it. Everything you’ve done before is prologue – the main story starts now.

I’d be remiss if I didn’t mention one challenge you could face: for some companies, the cultural shift that goes hand-in-hand with these policies might be harder to manage than their actual rollout. For example, some companies have an informal, honor system-based access request process: Analyst Bob asks IT Kyle for access to ABC Widget’s customer database because he needs to do some work, and IT Kyle bops into Active Directory to grant it. While that works in the pre-GDPR world, it’s forbidden in the compliant one. Forcing Analyst Bob and IT Kyle to file a form, cite the proper business justification, and leave an easy-to-follow paper trail, could be jarring – and actually seen as a barrier to productivity.  Same with Marketer Sheila who wants to email a spreadsheet of contacts to Data Processor Tina at your subsidiary in Tacoma.  So you’ll need to work internally to demonstrate the value of the new processes, while acknowledging that things might not be as easy as they were in the wild frontier-land your old processes created.

Next, you’ll deploy your new contact forms, open an 800 number, and validate your information request and action certification forms. If all goes well, you are almost ready to open your doors to the new land of compliance.

Tune in next week for the final stop on this journey…