We have regular disussions with data privacy peers around the nirvana goal of "GDPR Compliance". Given the considerable variance in the way legislation is interpreted and subjective nature of terms such as "appropriate" and "clear", the goal is typically deemed unachievable.
An Alternative To Compliance
While full data privacy compliance may not be possible, organisations still need to maintain a sufficient level of demonstrable control. They are still accountable for personal data they have recieved.
We work with clients to create a Defensible Position. That is, delivering activities that demonstrate a reasonable and sufficent approach for Data Subjects, colleagues, shareholders and regulators.
The key requirement for a Defensible Position is to establish consistent management of data protection across an organisation. Specific governance tools are used to drive an appropriate tone from the top, including organisational design, strategy, risk appetite, policies, training and assurance. Executives establish a position whereby they can evidence reasonable steps have been taken to do "the right thing", thereby significantly reducing the organisation's risk profile.
Data GRC works with clients to help them define, deliver and maintain their Defensible Positions. By engaging a broad range of stakeholders through the organisation, we support remediation programmes to provide a reasonable level of control.
Our GDPR maturity assessment is typically used through the lifecycle of the programmes, to demonstrate initial and target positions, and progress in between.
Click this link to contact us and discuss our GDPR consultancy services.
Click this link to see more guides on Data Privacy, GDPR and Information Security.