Time to review your Data Privacy budget for 2018 and beyond?

John M WalshData Privacy0 Comments

By now, most companies and organisations are in full swing with their version of GDPR compliance. After a slow start, we notice that those involved with the implementation are getting to grips with the details of GDPR and what it means for their organisation.

Once companies get beyond the assessment phase and start really to understand what is involved, there appears to be varied reactions which can be roughly classified into three types of responses:

  • ‘get us across the line the line with minimal effort’
  • ‘take risk based approach and do what we need to do”
  • ‘take both a value and risk based approach with long term vision, how can we use GDPR as a catalyst to get our information landscape in order and meet our GDPR compliance obligations’

All of these reactions are understandable. It is very reassuring to notice that there is a common acceptance of the importance of this regulation. OK, there may be grey areas in the interpretation and implementation but the focus is more on how rather than intent.

So, as many companies will now be busy preparing budgets for 2018, perhaps it’s worth keeping a few things in mind for our ongoing approach and planning for Data Privacy and Data Protection initiatives for 2018 and beyond:

  • Defining the company vision and strategy towards Data Privacy and how it relates to your company values is key to getting and keeping senior management on board this initiative.
  • I guess the term GDPR will lose its meaning in 2019 and beyond and be replaced by Data Privacy & Protection Program. Perhaps it’s a good time to start introducing these terms for Governance and Sponsorship. Maybe now is a good time to reiterate that GDPR compliance is an ongoing DP Program rather than a Project.
  • The GDPR assessment will have raised several surprises. We notice that they span the organisation, process and technology layers and that it is difficult to capture the ownership of many of these transversal initiatives. Maybe it’s a good time to reflect on how to capture the “value” of these findings and give them ownership.
  • Like many others, we believe that ongoing 100% compliance is impossible. And, due to the dynamic nature of data, your organisation may be compliant on paper yesterday but this does not guarantee that it is compliant today. Perhaps it a good idea to consider how ongoing compliance can be semi-automated and take this into account in your compliance program.
  • Last but not least, the GDPR presents a great opportunity to clean up ALL our Information and not just for Personal Data only. Perhaps, we could use the opportunity to show that the budget can be used for initiatives beyond “the GDPR Project”. Emphasising the Business Value and the bigger picture will help your organisation address the key issues that you face today. Using GDPR as a catalyst, we are sure that you will have the attention of senior management now to go beyond the fear elements of fines, reputational risks etc. towards business value creation. Why not go for Information Governance as the key solution for addressing many of the information challenges you are facing today and look to hook in many of the project initiatives identified in the GDPR assessment as part of data management maturity improvement program of 2018 and beyond.

Hope these points help your organisation today.

2-Day GDPR Bootcamp

John M WalshData Privacy, GDPR

2 Day GDPR Bootcamp on 21-22 September, 2018

Join us and many other companies on this deep-dive session into GDPR. During the two days, we will go into the details of GDPR and how is can be implemented in practical manner to meet the compliance requirements set out in GDPR.

The training shall be provided by Christoph Balduck of Data Trust Associates, a boutique company focused on Data Privacy and Information Management.
Christoph is an EU certified Data Protection Officer (EIPA) and has a wide range of experience in the role of enterprise architect and Data Manager. He continues to advise, coach and execute Data Privacy and Information Governance programs across the different industries both here in Belgium and internationally.

By bringing the data privacy and data governance worlds together, Christoph sees the great business value that can be obtained by accelerating GDPR compliant solutions for operational business analytics challenges.


Participation fee: 900 € excluding VAT

Once you have registered for this Bootcamp via the form below, Data Trust Associates will send you an invoice. Your registration will be effective as soon as we have received the payment.

Any cancellation must be notified by email at least 7 working days before the date of the event. In the event of absence or cancellation beyond this period, the full participation fee will be due.

More information:
Christoph Balduck
Mobile: 0472 712960
Email: christoph.balduck@datatrustassociates.com



Day 1: Thursday September 21 – GDPR Deep-dive
From 9:00 until 18:00

  • History
  • Hype cycle of GDPR
  • Additional legislations (NIS, e-privacy, anti-competition, anti-discrimination,…)
  • Scope of personal data
  • “Special categories” data, children data & location data
  • Data Categorization
  • Data retention & archiving
  • Data Register (article 30)
  • Legal ground & consent incl. consent mgt.
  • Purpose limitation
  • Transparency
  • Proportionality
  • Data accuracy
  • Data & information security incl. ISO27001/2
  • Data anonymization & pseudonimization
  • International data transfers
  • Profiling
  • DPIA & residual risk
  • DPO & DPO office
  • Breach notification
  • Target Operating model & link with Info & Data Gov.
  • Data minimization
  • Data controller vs. Processor
  • Privacy by default and by design
  • Proof of  compliance & accountability
  • Contracts
  • Data portability
  • Right to access, rectify, block, deletion/forgotten
  • Fines
  • Class actions
  • DPA & One stop shop

Evening dinner near venue 
In order to continue the GDPR and broader discussions, you are also invited to Dinner at a nearby location (18:30 – 21:00)

Day 2: Friday September 22 – GDPR Practicalities & use cases
​From 9:00 until 16:00

  • Link between GDPR, ISO27001/2, Information & Data Mgt.
  • Privacy strategy, guidelines, framework, implementation & monitoring/KPI’s
  • Data trust framework and determining opportunities for GDPR (bus. case)
  • Reference architecture
  • Planning
  • GDPR in projects
  • Data breach notification planning
  • models in depth
  • Tooling and accelerators: overview of major tooling and accelerators on the market & how to apply them.
  • Cases & practical use:
  • Setup of a privacy strategy
  • Scope determination & data categorization use case
  • Applying a risk based approach
  • Documenting & approach to a data register (from Level 0 processes to data flows)
  • Practically using Pbd & Pbd
  • Determining controller & processor in a complex relation
  • Applying a DPIA
  • Calculating the severity of a data breach (Enisa)
  • Determination of the right legal ground & consent
  • Determination of the solution architecture for a case
  • Data breach notification & how to prepare (contract, incident response plan)
  • Profiling & pseudonimyzation case

Book your place

Are we doing GDPR right?

Data Trust AssociatesGDPR0 Comments

By now your company will probably have started it’s GDPR journey. As GDPR involves a wide range of topics, all departments of your organisation are involved – either as affected parties, supporting departments or both.

That’s why it’s important to not implement GDPR from a purely admin or legal point of view only, but involve IT, data & information management, process management, business architecture and others to support and accelerate the implementation.

It’s important not to implement GDPR from a purely admin or legal point of view only,  something we still see a lot of companies doing.

Some GDPR activities like creating a register, appointing a DPO or privacy representative, updating privacy policies, defining legal ground & purposes are all more admin focussed activities that can (theoretically) be performed without good insight/understanding of an organisation’s personal data.

In reality though, the register will probably not be complete if only processes are taken into account and insight in personal data flows (in internal and external systems, integrations, applications etc.) is missing.

The register (article 30) will probably not be complete if insight in personal data flows is missing.

Furthermore, a number of key GDPR topics like “privacy by design & by default”, complying with the rights of the data subject, insight into a data breach and complete incident response plans, transparency about personal data processing, data quality/accuracy, etc.” are surpassing a purely admin approach and require deeper understanding of hands on GDPR challenges and the use ofpersonal data.

A number of key GDPR topics are surpassing a purely admin approach and require deeper understanding of hands-on GDPR challenges and the use of and personal data.

Many companies start with an admin approach and postpone or minimise the effort of more in depth topics as mentioned above with the risk of facing unpleasant surprises by May 25th 2018.

Many companies start with an admin approach with the risk of facing unpleasant surprises by May 25th 2018.

Free 5 min GDPR Readiness Check:

In order to find out if your company is not missing out on any of the key GDPR topics feel free to take our free 5 minute GDPR readiness check: http://datatrustassociates.com/gdpr-readiness-check/ which will provide you with insight into practical readiness of your organisation.

GDPR: Budget, Gap & the analogy of polluted water.

Christoph BalduckData Privacy, Data Protection0 Comments


If you haven’t heard of GDPR by now you’ve either been on a deserted island, went on a digital detox for the last 6 to 12 months, or… anyway you’re one of the few (happy) people not worrying about it’s impact… yet.

If you have heard of GDPR or are busy implementing it, you might be wondering what your implementation budget should be, how big the gap can be and how to convey the message in a simple way to all of your colleagues & management.


In terms of total GDPR implementation budget – we’ve seen ranges from 0,01 to 1% of global turnover – depending on the size of the company, it’s margin and risk level in terms of personal data exposure.

This range provides an indication but companies with high legacy and medium to high risk have to assume a total budget of about 0,5% to 1% of global turnover.

This refers to the total budget to implement (not the yearly budget).

As GDPR doesn’t end on the 25th of May 2018, the design of your solutions, architectures, policies, procedures, processes and organisations is crucial to prevent high GDPR maintenance costs.

It’s therefore important to extend the GDPR business case with other benefits. If done well, the investment in GDPR will serve business goals like operational excellence, better analytics & insight, innovation, better customer view, more accurate next best action & next best offer with higher conversion rates,….


With GDPR there’s no such thing as “one gap” – as GDPR covers several aspects: legal, processes & organisation, policies & procedures, documentation/register, information and data management, IT/tech, security,… .

Many companies find the gaps to be substantial as GDPR forces them into managing their (wide scope of) personal data, keeping track of it and making sure no unnecessary personal data is collected, stored or processed.

For years data management was considered a burden and a cost for many companies, with little to no direct visible impact on revenue or cost savings.

Successful data-companies however, used data & information management to either grow fast, optimize customer experience, improve operational excellence, disrupt or make better use of analytics.

Most of these successful companies know their data, have it under control and make sure every employee can get the most out of the data (including personal data). A data and information mgt. gap analysis will therefore often result in a significantly smaller gap than their competitors & peers who haven’t invested in data & information mgt. .

The higher your data & information management maturity – the lower your effort to becoming GDPR compliant.

Nevertheless, it’s not because a company has a higher maturity in terms of data & information management – that it’s automatically dealing with data privacy and data protection in a (more) compliant manner.

The analogy of the boat & polluted water.

In order to explain the data and information gap, affecting the size of your implementation effort, we’ll use the analogy of a boat & water.

Imagine a company represented by a boat which sails to different destinations to run it’s business.

This boat sails on a river which is very much polluted and has been for years now (with every year facing an increasing level of pollution).

The water of the river represents the data – the pollution represents bad quality data & data not being managed or not under control – but nevertheless crucial to keep the boat (business) running.

The boat managers don’t necessarily know about the severity of pollution – as the vision and  strategy of the boat company is about getting to the right destinations as soon as possible and reaching more destinations over time.

Using bigger and more powerful engines to achieve these goals might increase the cost but as long as the goals are met (more destinations are delivered)  – there’s little reason for doing anything about the water.

What the captain and it’s management don’t necessarily see is that below deck a lot of local hero’s are continuously removing the dirt in front of the boat to keep it moving (local hero’s continuously working to get some of the data fixed to be able to move on – knowing the same problems will occur again soon).

From time to time dirt gets into the engine and a problem is reported, but as this is usually fixed soon (bypassed) it’s back to business as usual and the core problem is not dealt with.

Some people on the boat and a number of visitors (data & information mgt. professionals) see the risk and understand the problem (and opportunity).

They try to convince the boat crew that cleaning up the water would save them time & money, facilitate operations and insight and ultimately add to reaching the boat company’s targets but it’s difficult to make the business case as the investment mainly allows for indirect and medium to long term gain.

A new legislation…

Recently however, the government created a new legislation – forcing the boat companies to cleanse the water – as the government realized people were actually swimming in this polluted water and they were getting sick of it. (cfr. data subjects suffering from lack of data privacy and data protection).

The government has been telling this to boat companies for over 20 years, but with the new legislation it will be able to impose severe fines so most boat companies will be forced to do something about it.

Fixing a problem that has expanded over time (more water and river branches (big data), more rivers and more pollution) is not an easy task and the gap to overcome for (boat) companies that have never done anything in terms of this pollution (data) is huge.

Fortunately a number of companies have already started reducing some of the pollution over the last few years and luckily some smart people are coming up with solutions to accelerate the clean-up.

Companies have until the 25th of May 2018 to get the water cleansed & can expect fines from then on.

Some have started & some are only focussing on the big debris, but forgetting the fact that even if the water looks clean it can still be unsafe (poisoned).

The analogy with the boat and polluted water allows for an easy explanation and understanding of the immense gaps and efforts companies are facing today.

It also indicates that the 25th of May is not an end point – as the government isn’t looking for a one time clean-up but for a continuous clean river with good quality water – allowing data subjects to swim safely.

You’re not alone.

DataTrustAssociates can help you clean up the water and make sure it serves more than just GDPR compliance – benefitting from the this effort, rather than investing in risk mitigation only.

The DataTrustAssociates team of (DPO certified) resources are eager to help your business on it’s journey of GDPR compliance, reusing your previous investments and applying a very practical approach reducing GDPR maintenance effort & costs (after 25/05/2018).