- GDPR is one of many issues a CIO has to contend with every day, another compliance standard akin to HIPAA or former Safe Harbor regulations requiring companies to "check a box," said Eric Johnson, CIO of Talend, a data integration provider, in an interview with CIO Dive. Johnson joined Talend in January, just months ahead of the looming GDPR deadline. Prior to his time at Talend, he served as the CIO of DocuSign and the SVP and CIO of Informatica.
- The difference with GDPR, however, is the regulation is more "broad and far-reaching," with compliance mandates sweeping across industries, said Johnson. The regulation will make many companies "take a good, hard look at what they're doing around people, process and technology, much more so than ever before." GDPR has the opportunity to make many organizations more efficient, with increased security and better scale.
- But reaching full compliance by May poses a real challenge, a deadline many organizations cannot meet. Without attention to people and process, most organizations will not reach compliance. "This is a big change management challenge that CIOs are up against," Johnson said. "The technology is absolutely going to be a part of the conversation ... but more CIOs are going to fail at this because they can't get the change management process piece of this working correctly."
Underlying some of the complexity associated with GDPR is the attitude in the U.S. toward data and privacy. "We sort of err on the side of open and free," said Johnson. Users are accustomed to platforms like Gmail, for example, readily accepting that their data is in the public domain.
But the benefits of free and intuitive services outweigh potential privacy concerns, paving the way for companies to leverage personal information and sell it to marketers.
GDPR is forcing companies in the U.S. to revisit previously accepted standard, with organizations looking to Europe's "high water mark" for privacy, according to Johnson. While many U.S. CIOs face a steep learning curve, and a potentially painful compliance process, organizations have to rethink the well-engrained default setting for data use.
Marketing, for example, uses data to drive leads and pipelines, said Johnson. If the ability to ingest and manage data becomes constricted, organizations are going to have to get creative about core processes. A symbiotic system, new approaches to handling data will likely give rise to an ecosystem of third-party organizations that can contract with companies for data management services.
Some industries, such as media and retail, are particularly vulnerable to falling behind on GDPR compliance. But other sectors, technology in particular, have led compliance efforts, setting an example for companies in other industries. For example, Box as a technology vendor had to focus on its GDPR compliance efforts early on.
Other organizations are also looking to bring in leaders like data protection officers, which can hone compliance details and ready companies for regulation deadlines.