Sun Tzu once said, “Know the enemy and know yourself; in a hundred battles you will never be in peril. When you are ignorant of the enemy, but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and yourself, you are certain in every battle to be in peril.” Admittedly, when he was saying that he was teaching soldiers the art of war but come to think of it, isn’t that the underlying principle to be followed by most people when they are faced by a challenge?
In our previous article, we had tried to get acquainted with the General Data Protection Regulation to get to know our challenger, therefore now, in order to implement Sun Tzu’s advice, it is imperative that Data Controllers understand/ assess where they stand. There are two ways to do that; the first one is to seek help from a consultant who will guide you through the process while the second is to take one of the many self-assessment tests that are flooding the internet.
Now for any curious and self-reliant data controller out there, the biggest question is that which self-assessment test is the most accurate one? Unfortunately, there no right answer to that question. Therefore, the best thing to do is sample a few of these self-assessment tools to prepare your own self-assessment. All the Data Controllers need to do is first get an idea of the potential risk that they are facing. Imagine the Data Controller to be a person who is unwell. Before going to the doctor, he would be required to at least assess what his problem is. Imagine standing in a hospital and not being able to explain your symptoms, that would lead to a bunch of tests which would be expensive, time-consuming and nerve-racking. Similarly, without a self-evaluation, if a Data Controller tries to face this Regulation, it would not know where to start, what to do or exactly how much help does it need.
A good self- assessment tool would incorporate questions like the size of the organisation, the activities performed by the organisation, the flow of data within and from the organisation, the kind of data processed, the data protection assessment activities, the encryption systems used, the disposal of a data after use, etc. While all these questions might seem a little daunting, they will pave the path for the software to assess the risk the Data Controller is at so as to help plan the course of action to be taken to be compliant with GDPR.
An ideal self-assessment tool should answer the question “Am I compliant with GDPR?”. Imagine a tool that lets you evaluate compliance with every single Article of GDPR by providing you with a compliance checklist corresponding with every Article, wouldn’t that be great?
Any self-assessment tool should also be able to answer the question, “Where do I fall short?”. Therefore, a heat map highlighting the high risk areas would be ideal. It would help figure out the areas which require urgent attention to ensure that the Data Controller is compliant with GDPR.
Therefore, it is imperative for the Data Controller to first assess where it stands so as to gear up for the next step which is to strategize its course of action to deal with GDPR. All this might seem a lot of work and added responsibility and the data controller might feel that it drew the shorter stick but don’t worry it is all manageable. We will deal with that in our next article. Till then, let’s assess where we stand.