At Keepabl, we like keeping compliance simple. Before creating Keepabl, our founder was General Counsel of growth tech companies for over 13 years, and became expert at establishing straightforward frameworks to help professionalise and platformise the business for future growth.
Born from that philosophy, Keepabl is proud to present the Privacy Stack to help organisations, public and private, clarify and organise the resources they need to stay compliant with GDPR. We’ve found it extremely useful in talking to clients directly or at events about what they need for GDPR compliance – it really seems to resonate. We hope you find it helpful.
While each organisation may claim to be unique, all have common problems in addressing their GDPR obligations – and many are struggling to work out just exactly how to handle compliance. The December 2018 UK SME survey by Aon revealed 50% of UK SMEs are still confused by GDPR, ranging from 40% in Finance and Legal (Legal still at 40%…) to Construction at 58%.
Just as Keepabl’s Privacy-as-a-Service solution makes getting and staying compliant with GDPR much simpler, the Privacy Stack clarifies the thought process around what you need to have or do to address your GDPR obligations. We’re all familiar with the concept of a Tech Stack: a collection of infrastructure, networks, servers, databases, applications and other technology that you use to deliver a desired outcome, chosen so that they all play well together.
The Privacy Stack is exactly that for GDPR compliance, with the addition of essential humanware.
In our White Paper series on the Privacy Stack, we’ll go into more detail on each element of the Privacy Stack separately. We’ll be talking about which external advisers you should have on speed-dial in later posts, as well as giving examples of who you can turn to. And we’ll be identifying the toolkit you need, what you can repurpose or co-opt from your information security tech stack, or other compliance tech stack, and giving examples of providers for each type of product or service. For now, let’s take a quick look at the component parts of the Privacy Stack.
It all starts with your own people. Someone at the organisation (preferably more than one) has to roll their sleeves up and become the Privacy Champion. They then need to get support for and manage the initial ‘get compliant’ project, enthusing and involving the rest of the business.
You’ll then move into the ‘business as usual’ or ongoing compliance phase. Your advisers are likely to stay involved on an ongoing basis to varying degrees depending on your internal resources, perhaps helping if you suffer a suspected breach, or with reviewing vendors or contracts, assisting if there’s an audit, and providing training. You can use Keepabl to review the entirety of your governance system with them over a period, much as you maintain your Information Security Management System if you’re ISO 27001 certified.
After people, it’s the software you use to meet most of the technical requirements of compliance and make the humans’ job as easy as possible. It’s important to note that no one piece of software will cover all your privacy needs, just as you use different providers for backups or anti-virus, data discovery or encryption. So you’ll need to identify the jobs to be done and choose relevant tools accordingly. That’s where the Privacy Stack comes into its own and lights the way.
While GDPR isn’t a technology law, nor a pure security law, technology and security are fundamental to GDPR compliance. Tools such as 2 or multi-factor authentication (‘2FA’ and ‘MFA’), encryption, backup services, secure transfer services, and other security software such as firewalls and anti-virus software, either should or could have a place in your Privacy Stack. Some will be solely utilised for GDPR compliance, but you should be able to leverage your existing investments in tools for other compliance requirements and, importantly, your existing information security tools.
Hardware is less critical for the Privacy Stack as we’re not talking about the hardware you use in the normal course of your working day, such as laptops, smartphones and even the servers and other media where the data is stored. (You will need to consider that hardware as part of your Privacy Governance though, including to encrypt data at rest.) Here, we’re talking about hardware that you use specifically for GDPR compliance, such as encryption hardware and the kit you might need for your chosen MFA solution.
That’s a quick walk through the Privacy Stack. We’ll be discussing all of these elements of the Privacy Stack in a White Paper series and later blog posts so do keep tuned!