GDPR compliance shouldn’t be a ‘one and done’ process for organisations

12 Dec 2017

GDPR isn’t a box-ticking exercise. Image: Ralf Geithe/Shutterstock

GDPR compliance should be an ongoing process and it can be simplified, says Dana Simberkoff.

As GDPR is right around the corner, spoke to Dana Simberkoff about simplifying compliance, the importance of good communication skills and trying to eliminate cumbersome spreadsheets from companies’ privacy strategies.

Simberkoff is the chief risk, privacy and information security officer at AvePoint. She is responsible for AvePoint’s privacy, data protection and security programmes, and manages a global team of subject-matter experts.

She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP).

AvePoint's Dana Simberkoff

Dana Simberkoff, AvePoint. Image: AvePoint

People, process and technology

Simberkoff discussed the use cases for the AvePoint Privacy Impact Assessment System (APIA), which is distributed by the IAPP. It has been used extensively for businesses to carry out privacy impact assessments (PIAs) for several years, but the latest edition fully integrates an advanced GDPR detailed assessment, developed with assistance from AvePoint partner Microsoft.

It provides a dashboard of sorts so organisations and service providers can keep an eye on compliance progress and identify where they are on the GDPR journey. As well as tracking progress, APIA can provide recommendations to close any existing gaps.

She explained that the software solution “actually predates GDPR quite a bit. It was actually built partially in response for some requirements we have in the US for federal agencies, who had been doing privacy impact assessments for a number of years under a variety of statutes.”

Cutting out annoying spreadsheets

Simberkoff added that cutting out the drudgery of carrying out PIAs with spreadsheets and emails was a major factor for many of the thousands of companies who migrated to APIA. “The companies that had been doing PIAs had been doing them using spreadsheets, which is not a scalable option – people spend a lot of their time babysitting emails.

“What APIA does is, it centralises and automates the process, and it allows you to find tasks, roles and responsibilities, people to answer the questions and provide feedback.”

APIA is free to use, and Simberkoff said that many companies actually looked at its toolkit to build their own commercial compliance tools. “We heard from some of them [other companies] that they sort of took a cue from what we were doing, but then they started charging for it, which is, in a way, flattering.”

For Simberkoff and AvePoint, compliance really is a community-based endeavour. She said that the company simply “wanted to be part of these conversations that privacy teams were having around management and protection of personal data and sensitive information because, commercially, AvePoint provides products that allow you to discover, classify and protect sensitive data”.

She continued: “Companies were spending so much time chasing emails and spreadsheets that they weren’t able to think about problems that technology could help solve.” By saving time using automated technologies, Simberkoff said firms could then focus on educating teams about the importance of compliance. It can’t just be a technology solution with no staff buy-in. For her, it’s all about three factors: people, process and technology.

Automation won’t solve all your problems, but “it is going to allow you to eliminate a lot of low-lying fruit” in terms of continued compliance.

GDPR is not a destination

Simberkoff said that GDPR is “a journey, not a destination” and needs to be viewed as an ongoing process. As she succinctly put it: “It’s not a ‘one and done’, it’s a cultural shift for companies.”

When asked about how best to communicate the importance of compliance with GDPR and indeed other regulations, she was unequivocal in her emphasis on the team effort required: “It does require a village; I manage our global team so it requires connection between IT, security, privacy and the business.

“You do need to have that approach as it requires a lot of technical and operational controls. Privacy folks need to become technologically savvy; they don’t need to become experts but they do need to understand the vocabulary of IT, and IT security teams need to become much more comfortable with understanding.”

She added that fearmongering around GDPR is counterproductive. “It’s an opportunity for companies to do what they should have been doing all along. In many ways, it ties to good data life-cycle management and data hygiene.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects