The GDPR Adventure: A Legal Perspective

Adventure (ad•ven•ture) / ad-ven-cher / noun: an undertaking usually involving danger and unknown risks; an exciting or remarkable experience; and enterprise involving financial risk. Origin: Old French aventure (noun), based on Latin adventurus ‘about to happen.’ There are many people who have the privilege of saying that they get paid to be adventurous. Mountain climbing guides, deep sea divers and National Geographic photographers are the first that come to my mind. Me? I’m an attorney for a software company – not exactly the stuff adrenaline junkies dream about. But before you decide that I don’t know a thing or two about adventure, I want you to know that I recently learned to ice climb. My job doesn’t require a helmet or inspire the same level of enthusiastic envy from friends as my ice climbing stories do, but it is an exciting journey. Let me tell you why I love my journey with Tripwire: I work with amazing and brilliant people. Have you ever mediated a conversation about a revision to the corporate information security policy on the topic of privacy with a group of people that spans three generations and includes engineers, human resource folks, information security professionals and sales folks? I have. Our employees care passionately about privacy; that was not a boring day in the office. You could feel the adrenaline in the room. And then, there’s the second best aspect of my job: I never get bored. Software is fun and cybersecurity is fascinating. I have the opportunity to work with people in every department, partners, vendors and customers. Data privacy falls under my responsibilities and impacts (to varying degrees) everyone with whom I work. But it was a new subject for me. When I first began learning about data privacy, it seemed like an impossibly vast topic. So for better or worse, I chose to attack the new subject in the same manner I would a new adventure. My GDPR adventure began with reading, preparing and choosing my adventure buddies. Then, I dove in. My travel journal notes are broken up into chapters. I aim to be concise, but I sometimes miss the mark. Names, places and events may be fictitious. Any resemblance to actual persons or actual events may (or may not) be coincidental.

Chapter 1

Start planning early. Buy a map. Chapter one is short because you should have already started. There seems to be a “wait and see” attitude among US mid-sized companies. I don’t fall into that category because (a) my job is to minimize risk, (b) I like to be proactive rather than reactive, and (c) data privacy is important to this company. I also love timelines, flow charts and maps. If you haven’t already begun your journey, stop Googling kitten videos and read some of the readily available resources and articles. Figure out what your adventure looks like, buy a map and then regularly consult the map, so you don’t get lost.

Chapter 2

Recruit Your Travel Mates. Cupcakes help.

“I am looking for someone to share in an adventure that I am arranging, and it's very difficult to find anyone. I should think so — in these parts! We are plain quiet folk and have no use for adventures. Nasty disturbing uncomfortable things! Make you late for dinner!” ― J.R.R. Tolkien, The Hobbit

The R&D Director and Information Security Manager didn’t get a vote in their status as my partners (in compliance). I bought them cupcakes, told them it was to celebrate their status as my GDPR adventure buddies, and that was that. Just kidding. It actually took a lot of work to recruit my adventure buddies; about a year’s worth of work. Once the final version of the GDPR was released, it was clear that I would need help from other employees in order to achieve full compliance. The scope of the GDPR is especially broad for tech companies that sell solutions or services to European customers. Over the past year, I dedicated time to understand the regulation, build relationships, partner with HR and IT to update relevant policies, and learn more about our engineering department. The time was well spent. I have learned about our secure software development lifecycle. I can probably quote our information security policy from memory. I’ve learned that our engineers care deeply about privacy and security. I earned some credibility and respect while I developed relationships with valuable partners who I now count as friends. And it is those friends who embarked on the GDPR adventure with me. It is important that you have the support of your executive staff, but your travel mates are essential. You won’t have all the answers, and you can’t do everything on your own. Your best bet is to choose the folks who you know, respect and are only mildly annoyed at being tapped for ANOTHER compliance project. Offer snacks. I find cupcakes are most popular. *** We continue our preparation for the GDPR, so you can expect more journal notes over the coming months. If you have any specific areas you would like to see covered, leave a comment below.