The EU General Data Protection Regulation is only months away, and more organizations are beginning to contemplate what they need to do for compliance. Many will begin their efforts with survey based Privacy Impact Assessments, because for many privacy professionals that is what they are most familiar with. However, as the “DP” in GDPR will attest to, the foundation of the new regulation is data protection: data security and data accountability. Neither is achievable  simply by conducting surveys. Satisfying both requires detailed data knowledge and the ability to monitor for changes, risky activity, and potential violations of applicable regulations. PIAs have their place,  however, when it comes to privacy by design and privacy operationalization, only data-driven continuous compliance will do.

Going Beyond Good Intentions

In response to almost epidemic data breaches and repeat incidents of personal data misuse, legislators and regulators have instituted myriad of measures to better protect data and return control back to data subjects. Many of these rules are impossible to implement without a detailed accounting of data being stored for individuals. In many ways this represents a sea change to how organizations safeguard their most sensitive information assets.

Privacy professionals historically were accountable to the business for ensuring compliance through better policies and processes. PIAs were in some ways means to measure conformance with a policy and process. However, as evidenced by escalating frequency and breadth of reported breaches and associated liability exposure, survey based approaches have not proven effective at ensuring compliance with either data protection or privacy policies and regulations. Mitigating data risk is nearly impossible when the measure of said risk is dependent on  often subjective and incomplete survey responses. Managing risk starts with precise and objective measurement.

Data Risk Evolved

A very similar evolution towards objective measurements of risk occurred over the past several years in the field of assessing third party risk and vendor risk management. Historically, 3rd party risk was also assessed through forms and surveys. However, this limited the repeatability, objectivity and predictability of the assessments. Consequently, over the recent years, 3rd party risk measurement has become more programmatic, so that the resulting  evaluations provide consistent scoring and  guidance to anyone looking to reduce risk. A similar evolution is now occurring in data risk assessment.

With the introduction of tools like BigID to find, map and analyze personal data it’s become possible for organizations to shift from qualitative and subjective survey-based assessments for risk and compliance validation to precise data-driven continuous compliance. Knowing whether data collection and processing exceeds defined legal or business policy thresholds becomes a function of monitoring the data. Data compliance and risk mitigation shift from guesstimation to always-on measurement.

Putting the “Ops” Back In Operationalization

Regulations like GDPR increasingly encourage companies to operationalize privacy and ensure privacy by-design from development through production. This requires  continuous monitoring and measurement of data risk, and conformance from “build time” to “run time”. Surveys can make an organization feel better about their compliance, but it’s a false sense of security. To truly operationalize privacy you have to be data aware, and measure compliance on a continuous basis across development and production. BigID is among a vanguard of companies that aim to transform data knowledge into always-on continuous compliance for privacy and security.