escalator going up and down
Businesses default response to data security requirements is to see them as a burden. Three tips to help them see the opportunity PHOTO: Ben Garratt

A Dutch artist once said his two least favorite words in the English language were, “Yes, but ….”  

Most of his ideas for projects were greeted with those words by a skeptical audience.

“Yes, but what about the cost?”

“Yes, but what about the requirements?”

The list went on.

Anyone in the IT industry and in a compliance role are probably familiar with those words. We have either heard them, said them or — in many cases — done both.

Switch From 'Yes, But' to 'Yes, And'

I joined my colleague Bojana Bellamy, president of the Centre for Information Policy Leadership at Hunton and Williams, LLP, and industry peers at the Gherkin building in London in mid-March. We gathered to present our perspectives on operation and technical readiness for the EU General Data Protection Regulation (GDPR) at the IAPP Europe Data Protection Intensive 2017

During the event, one of my co-presenters reframed those two words as, “Yes, and ….”

Anyone who's taken an improv class will be familiar with this approach. Rather than shutting down forward motion, it opens the door to possibilities.

As your organization approaches data protection initiatives around the GDPR and other regulations, the power of “Yes, and” is illustrated through three takeaways from that session.

1. See Privacy as a Business Enabler, Not a Cost

As many compliance professionals have experienced, there is a common perception that privacy is where “IT goes to die” and that security “leads with no.” 

Whether deserved or not, these functions are often seen as a cost to the business, a necessary burden required under laws like the GDPR, and not an enabler. 

However, one of the key messages from this session was that leading companies are using the GDPR as an opportunity to digitally transform their businesses — and build a successful compliance program at the same time. 

In essence, they are saying, “Yes, GDPR is a requirement, AND our company is going to take advantage of it to build customer trust and reimagine our use of data.”

While this may sound ambitious, I think it is brilliant. As I’ve written previously, the GDPR includes an obligation to build privacy and security by design and by default as a foundational tenant of an organization’s development lifecycles. 

How better to inspire that fundamental change than to gain the sponsorship of your executive management team? You can help your organization see not only the risk mitigation aspects of GDPR, but also the opportunity to harness the data revolution in a secure and productive way.

We’ve heard of data as the “new oil” in our digital economy, but another, more apt analogy I recently heard, was data as “electricity.” Data powers our companies and fuels our productivity, but can also “shock” or hurt us. Imagine the impact to our businesses if it was turned off. 

By taking proper precautions to build in safeguards, we can not only optimize our use of data to generate revenue, but also prevent harm or even calamity.

2. Unify Your Privacy, Security and IT Teams

Privacy teams are typically small offices within large organizations. To create a shift in the way a company thinks about data, these teams must forge an alliance between the Chief Privacy Officer, Chief Information Security Officer and Chief Information Officer — along with their business sponsors. 

With the right teams and proper planning, you only need to “dig up the road” one time to make the changes necessary to redo the foundational tenants of data creation, collection, use, sharing and end-of life.

In this case, the concept is, “Yes, our business needs to transform the way we are addressing data lifecycle management, AND we can use this opportunity to modernize and optimize our business process.” 

The power of these teams working together, instead of pursuing separate agendas, will be a welcome relief to a board of directors and company executives, all of whom are wary of breaches and fines (for good reason). 

3. Modernization Projects Provide Opportunities in Productivity and Data Protection

An existing IT or business-driven modernization project within the company — such as a cloud migration — provides an opportunity to gain momentum for your GDPR program. GDPR sets out clear requirements for technical controls to manage certain kinds of personally identifiable information (PII) in the cloud. 

The message here is, “Yes our business is moving our legacy data from on premises to the cloud, AND before we do it we are going to first understand the data.”

Only through knowing what data you hold, along with internal company policies and external regulatory requirements, can you begin to take a risk-based approach to storing information appropriately. 

This is a key component of the GDPR. By making data classification and protection a part of a migration from the start, you can ensure you only move data that should be stored in the cloud. In addition to protecting data subject to records management, privacy or security concerns, you can also dispose of data that is redundant, obsolete or trivial. 

Through this approach, you provide cost savings to the business while improving IT efficiency and end-user experience. Now, privacy has become a business enabler rather than a cost.

This knowledge allows you to make informed decisions — including where data should live, who can access it and what kinds of controls you need to put around it. The same reasoning applies for defensible data destruction and records management requirements. 

It allows your business and your compliance teams to embrace the future with a happy, “Yes, we are working on our GDPR project implementation, AND we are doing so in a way that is more than protecting our customer data and addressing compliance. We are adding business value and gaining consumer confidence.”