May 24, 2018
GDPR: Are you ready for the Big Day?
The new General Data Protection Regulation (GDPR) law will go into effect on May 25, 2018 in the European Union. The GDPR expands privacy rights of EU individuals, and places new and much stricter obligations on all organizations that market, track, or handle their personal information (PI). While the deadline is fast approaching, ESG surveyed 700 of the world’s largest companies and found that only 33% will be GDPR-compliant and ready for these sweeping changes.
It is crucial to understand the new law in its entirety, and to know the data scope of the PI covered by GDPR. The scope includes:
- Basic identity information (name, address).
- IP addresses, cookies.
- Any data related to health, sex.
- Biometric/genetic data.
- Even personal notes and vision about politics, ethnic.
GDPR also brings a new role requirement to these companies that must be covered by current or new personnel. These positions include Data Protection Officer, Data Controller, and Data Processor, and all must be responsible for validation of the regulations.
What should we do to prepare to GDPR?
Preparation is a multi-step process with different priorities. It will also require some monetary investment as well. As daunting as that may sound, the penalties defined by GDPR are convincing enough that any prudent company needs to start moving into this direction. For example, the law levies steep penalties of up to €20 million, or 4 percent of global annual turnover, for non-compliance.
Here is a short plan of actions to be taken:
1. Involve all branches of the business. While at the assessment and analysis stage, companies should develop a strategy and architecture that will minimize risks and achieve company objectives across all divisions and departments. Although data is more often associated with IT, the biggest gap in information and planning will be other departments that operate with using PI. As an example, your marketing team generates leads using the forms on your web applications. All of that is PI, and is usually stored in local databases. Marketing uses it for analytical tools to track campaign effectiveness, but now you need to change your webforms. You will need to include information about what data is being captured, along with a clean description of how you will use the provided information. This is necessary so that the user may stop data input at any point and prevent your system from capturing their PI.
2. Hire a Data Protection Officer. The GDPR by itself does not specifically require smaller organizations to hire a data officer, but a current employee should at least be appointed to assume the responsibilities of the job. Remember that in this case, an investment in their training and education on EU laws and certifications will still be necessary. Another solution for this position could be outsourcing. The potential damages for data protection violations are worth it.
3. Perform risk assessment. Review all of your IT infrastructure and technologies. It will give you a good picture of where action is required. However, while having secure IT is a primary focus of GDPR readiness, IT is merely a tool used by the people within your organization. Some challenges might be covered by a centralized solution, which is why it is important to understand the scope of work. Conduct a dry run so that the company can see what would be required to meet data requests for access, erasure, transfer, and corrections. It should be possible to carry out a documented audit and inform both subjects and regulators of any breaches.
4. Educate your staff. The human factor is a high severity risk within security, which is why it is critical to train your employees at all levels. It is the only actionable way to fully deal with GDPR implementation, both in practices and understanding of how customer personal data should be stored and handled.
5. Create a data protection plan. This is the implementation stage and should be backed up with affirmative action, such as putting in place a program that is both sustainable and compliant with private data protection. Global giants like Microsoft or Salesforce have already showcased their compliance initiatives, and they have been used as a template for how companies should be equipped to safeguard subjects’ data. Most companies should have this plan in place, but for those that do not, the time has arrived.
New rules for working with PI
- Organizations can only process that data which is relevant for their purposes.
- Organizations can only collect limited, necessary data.
- PI must be deleted after the original purpose for its collection has concluded.
- Data security should be a top priority for the organization.
- Encryption is not a requirement, but a recommendation for application to sensitive data.
- Pseudonymization is a step toward protecting PI aby associating data with some pseudonyms.
- Anonymization converts data to a truly anonymized state so that it would no longer be subject to GDPR.
- A data controller is responsible for handling personal data that needs to be in GDPR compliance.
- Privacy by design is when a company implements a new product and data processing flow in such a way that GDPR must be taken into account.
- Privacy by default is when a company has default settings for private data applied to all procedures.
- Impact analysis should be a constant process for determining how changes to data flow and security affect any new or old solution.
- A data subject can request data changes/removal to his/her PI at any time.
- A data subject can request all his/her PI stored within your system in machine-readable format, e.g., .csv, etc.
- A data subject has the right to be forgotten or the right to erasure of all PI.
The best IT practices from leading companies, like Google or Facebook and a score of other IT leaders, are likely to become the templates for GDPR compliance. It would be reasonable to understand what they are doing right now, and what can be borrowed from them. Here are some examples:
- General data protection and safety. In 2017, Microsoft released a number of Azure and Office 365 tools that are among the most stringent in the industry when it comes to security and data. Oracle’s Database Security technologies and products also help client companies achieve GDPR compliance.
- Smooth and prompt decision making. The issue of data privacy is thorny and leaves no room for error. The use of SAS data governance tools and services might be a significant advantage to companies dealing with massive private data.
- Use of verified software and hardware. Some existing software/hardware fail to meet the tough data privacy and protection preconditions brought about by GDPR. It is time for companies to look for legit software like SAP’s Cyber, Data Center, and Product Security standards for both on-premise and cloud software. Intel’s Authenticate is another example of the solution to help protect against modern cyberthreats.
- Data portability and transparency. Salesforce has out-of-the-box functionality, such as the individual data container, with privacy and consent settings for Salesforce instances (orgs). Likewise, the new Activity History option from Microsoft and IBM’s Spectrum Protect Plus can help support compliance and is an opportunity to build trust and drive customers.
Now that they are legally bound, companies can protect customer data and guarantee transparency in every transaction. This not only helps firms to be GDPR-compliant, but also gives them new trustworthy ways to interact with both converted and potential customers.