Chapter 1Start planning early. Buy a map. Chapter one is short because you should have already started. There seems to be a “wait and see” attitude among US mid-sized companies. I don’t fall into that category because (a) my job is to minimize risk, (b) I like to be proactive rather than reactive, and (c) data privacy is important to this company. I also love timelines, flow charts and maps. If you haven’t already begun your journey, stop Googling kitten videos and read some of the readily available resources and articles. Figure out what your adventure looks like, buy a map and then regularly consult the map, so you don’t get lost.
Chapter 2Recruit Your Travel Mates. Cupcakes help.
“I am looking for someone to share in an adventure that I am arranging, and it's very difficult to find anyone. I should think so — in these parts! We are plain quiet folk and have no use for adventures. Nasty disturbing uncomfortable things! Make you late for dinner!” ― J.R.R. Tolkien, The HobbitThe R&D Director and Information Security Manager didn’t get a vote in their status as my partners (in compliance). I bought them cupcakes, told them it was to celebrate their status as my GDPR adventure buddies, and that was that. Just kidding. It actually took a lot of work to recruit my adventure buddies; about a year’s worth of work. Once the final version of the GDPR was released, it was clear that I would need help from other employees in order to achieve full compliance. The scope of the GDPR is especially broad for tech companies that sell solutions or services to European customers. Over the past year, I dedicated time to understand the regulation, build relationships, partner with HR and IT to update relevant policies, and learn more about our engineering department. The time was well spent. I have learned about our secure software development lifecycle. I can probably quote our information security policy from memory. I’ve learned that our engineers care deeply about privacy and security. I earned some credibility and respect while I developed relationships with valuable partners who I now count as friends. And it is those friends who embarked on the GDPR adventure with me. It is important that you have the support of your executive staff, but your travel mates are essential. You won’t have all the answers, and you can’t do everything on your own. Your best bet is to choose the folks who you know, respect and are only mildly annoyed at being tapped for ANOTHER compliance project. Offer snacks. I find cupcakes are most popular. *** We continue our preparation for the GDPR, so you can expect more journal notes over the coming months. If you have any specific areas you would like to see covered, leave a comment below.