A critical mistake companies make when deciding how to tackle GDPR is looking at it like an IT-only or Compliance-only endeavor. Yes, data sounds like it belongs to IT, and yes, it’s a regulation so Compliance should be involved. But realistically, data of all types runs through every single department across the organization. Therefore, the best way to comply with the GDPR is to integrate every department into the compliance process.
Let’s think more about why an integrated approach is best. Most basically, the GDPR is a monstrously huge regulation, so breaking it down into small, actionable parts is in everyone’s best interest. Such a large task should never fall on one person or department.
Second, more heads are always better than one. How is one person supposed to know every single type of data being collected, who collects it, where it’s stored, how it’s protected, etc.? They just can’t. It takes a host of subject matter experts and process owners to get the answers to all these questions.
Third, sharing information across silos within one centralized platform drastically cuts down on the amount of time spent on achieving compliance. Different departments often share similar risks, so instead of taking the time to design two different controls or policies, you can kill two birds with one stone and design a centralized control. Of course, without communicating across silos, you never would have known to do that!
Lastly, every department really does hold a piece of the puzzle when it comes to data privacy. For instance, IT knows where data is stored, but they don’t necessarily know what kind of data it is. Rather, Sales might know that it’s the name, title, and company of potential customers, while Finance knows that it’s the billing information of current customers. You get the picture.
Taking an integrated approach is the best way to comply with the GDPR because it drastically reduces the headache, time, and effort it takes to achieve compliance.