GDPR Bricks and Mortar Defence or Digital Viking's Inspiration

GDPR - the General Data Protection Regulation - is the next wave of personal data privacy regulation from the EU and is expected to go live mid 2018, i.e. pre-Brexit. This generally tightens up privacy requirements in a number of areas and has been a theme of discussion at a number of Cyber Security events this year, including today's InfoSecurity Magazine event.

Anyone interested in "Things Digital" should ask themselves, will this act as a regulatory defensive wall for old fashioned Bricks and Mortar / Industrial Age companies to shelter behind, or is it a new discipline or challenge for digital Vikings to embrace?

A couple of today's speakers made some interesting observations and comments: 

• GDPR means that you need to know the What, Where and Why of Personal Data, especially customer data;
• Regulation should not drive data security, Security Should Drive Regulatory Compliance;
• There is a strong case for Digital Companies to adopt Social Digital Responsibility as Part of their Brand.

In a way, it should be easier for purely Digital companies to do this, as they are mostly starting from scratch with few of the problems of IT Estate Sprawl that many established companies have, with legacy systems, infrastructure and the typical complications inherited from previous defunct strategies as well as mergers and acquisitions. 

Also, in a previous blog, I mentioned that many digital companies actually regard this data as part of their IPR. So addressing GDPR (& other jurisdictional requirements) should be core to their business activity. Although future approaches toward collection and explicit consent may have to be sharpened up to meet the new requirements.

The implication is that Digital company that plans and builds Privacy Protection in from Day 1, will actually be building its own competitive advantage over traditional companies who mainly will be playing catch up.

It's strategy Jim, but not as we know it ...

A friend of mine who was a leading light in the development of Information Strategy and Architecture practices in the 80s and 90s, retired a few years ago. The key driver being his disillusionment with organisations who said that there was no time for developing strategy.

In the time since then, Enterprise Architecture has enjoyed a considerable re-birth and growth, everything has gone digital and organisations have started to publish strategies which read more like marketing guff expounding bland benefits, than anything which informs the reader or directs action.

A couple of things have brought this to mind recently. the first was that I picked up a copy of Richard Rumelt's "Good Strategy Bad Strategy", in which he emphasises the need for a situation diagnosis of what is needed to succeed, proposing an integrated and coherent policy which addresses this, and a small set of supporting actions. This is a great read and worth while for anyone interested in Business Strategy.

Yesterday, I went to very stimulating talk about post merger integration by Henry McNeill at the British Computer Society. Afterwards as we huddled around the wine and sandwiches, several key themes came out:

• Many companies are still not aligning acquisition activity with business strategy;
• There was violent agreement that clarity of the aims, target state and value proposition of an acquisition is imperative for successful integration;
• Participation of IT from due diligence onwards, provides an ideal opportunity for IT to show how it can help the business articulate and deliver against a strategy for the exploitation of the newly acquired business. Sadly, many organisations are still bringing IT in on Day 1 after deal completion and missing opportunities to mitigate risks and address early integration opportunities quickly. Some still take years to work out what to do with them.

This brings me to the point of today's commentary. My experience has been that almost all business strategies are usually incomplete and fail to unify the senior management of the business. IT needs a coherent exposition of Strategy which identifies the "game changing" opportunities or risks in the business market place to be able to prioritise its investments, define what common capabilities are needed and to support effective innovation. Working with business leaders at C suite and direct report level to "elicit the real business strategy that they work to" and agree the opportunities is valuable to the business as a whole. It's often a great way to get everyone to understand each others problems and can help unify purpose.  However, its got to be continuous to support the ever shifting business environment as businesses go Digital and Agile. Strategy has to take a Fail Early, Refactor and Learn approach to continuously calibrate its diagnosis, unifying policy and action plan. There's a role for the CIO in this.