Countdown to GDPR

Stephen DeAngelis

April 25, 2018

Only one month remains for companies to prepare themselves to comply with the European Union’s General Data Protection Regulation (GDPR). GDPR privacy rules are set to take effect on 25 May 2018. Bob Violino (@BobViolino) reports, “Many global companies are still unprepared for General Data Protection Regulation compliance, according to a new study by tax and advisory firm EY.”[1] According to the EY survey, “Only 33 percent of respondents said they have a plan in place to comply with the European Union (EU) legislation.” Being a GDPR laggard could become a big problem. Steven Norton (@steven_norton) and Sara Castellanos (@SCastellWSJ) explain, “The regulation governs how organizations use and manage information gathered on EU citizens, and imposes new rules on when to disclose data breaches. For example, individuals will have the right to obtain information from organizations about how their data is used, and can request certain information be deleted. Another rule requires that organizations disclose data breaches to European regulators within 72 hours of discovery. Companies that fail to comply with the regulations could face penalties as high as 4% of global annual revenue or €20 million, whichever is higher.”[2]

Who must comply with GDPR?

Some companies may be laggards believing the GDPR doesn’t apply to them. Those companies need to take a closer look at where their customers live. Analysts from Dropbox explain, “Under the GDPR, the location of the individual whose data is being processed is a key factor, whereas the existing EU Data Protection Directive is more concerned with the location of the processing.”[3] They continue, “In practical terms, this means that the GDPR will now apply to organizations based outside the EU that offer goods and services to, or monitor the behavior of, EU-based individuals. For example, a US-based retailer selling goods or services to EU-based customers and processing their data in the US could now find that they fall within scope of the GDPR.” That twist could catch many companies off guard and cost them a good deal of money should a breach of databases occur. Alex Hickey (@its_ahickey) offers an example of how things are changing. Last year, she reports, Hilton Domestic Operating Company, Inc. paid a $700,000 settlement following two data breaches which compromised more than 350,000 credit card numbers.[4] Had those breaches occurred a month from now, the fines would have been much steeper. Hickey explains, “Were Hilton subject to GDPR’s upcoming fine changes, the company would have to pay $420 million — or $1,200 for every compromised record, compared to $2 under the current fines. … Though GDPR is an EU policy, even U.S.-based companies conducting business in the EU will be bound by upcoming regulations.”[4]

What can Laggards do?

In separate articles, Steve Treagust (@SteveTreagust), a global industry director for finance, HCM & strategy at IFS, and David Lavenda (@dlavenda), vice president of strategy at harmon.ie, suggest a few steps companies can take to be GDPR compliant. Treagust writes, “It’s a now or never situation: business leaders must already have a plan in motion that ensures GDPR compliance.”[5] Lavenda adds, “While this all sounds ominous and complex, it doesn’t have to be. Foundationally, GDPR compliance is about following sensible information management practices — something all businesses should be practicing — to secure and organize the heaps of customer data they collect.”[6] Suggested steps to become GDPR compliant include:

1. Letting consumers know what data is being collected. Lavenda writes, “Companies across industries are collecting more consumer data than ever before. Under GDPR, be clear about what information you’re collecting, how it will be used, and have a legal document in place that clearly outlines both.” Lindsay McGettigan (@lindsaymcget), Vice-President of Digital Strategy at R2integrated, recommends both clarity and simplicity.[7] She explains:

“What if, right before the unreadable agreement, companies complete these three bullets in plain words?

  • We collect the following the information: _____
  • We use it to: _____
  • We sell the data to ____ or share the data with ____ (or neither)

If transparency would scare away potential users, hiding the truth doesn’t fix the problem. Word gets out eventually, and, when it does, people tend to use the service anyway. Why not be up front?”

Lavenda adds, “Another option is to only collect data you need — if you don’t need to know a person’s gender for a specific reason, consider eliminating those prompts on your website. … As part of the GDPR, ‘The Right to be Forgotten’ will allow consumers to demand that an organization deletes any data they hold on them. In order to honor this, be sure that all personal information is moved to a central environment so it can be easily and thoroughly removed.”

2. Unifying your data. Both Lavenda and Treagust recommend unifying your data. Treagust explains, “All existing personal data (PD) must be identified, and the systems and processes surrounding that data must be logged for review and possible change. During this time, some PD may be deemed unnecessary and deleted; the remaining PD must be flagged as needing additional permission from the user.” Lavenda adds, “Aim to store all personal customer data in one, central environment, or connect on-premises and cloud deployments. If this is not possible, make sure that departments have one single space for storing data.”

3. Storing your data. Treagust agrees with Lavenda that data storage is an important consideration. He explains, “Look at the systems used to store PD. These must be updated to include several factors, including fields which relate to the ‘purpose’ for holding the data, legal grounds for processing, processing dates, and actions which could (and in some cases, could not) be performed. It is vital that any data stored should be protected by GDPR compliant protocols for general data security aspects including access control, storage security and data backup, as it is imperative that these are sufficient for the purposes of GDPR compliance.” Lavenda recommends conducting a data “spring cleaning” exercise. “One of the easiest ways to begin complying with the GDPR, he writes, “is to perform an audit of all the information you currently hold and search for any personally identifiable information that may exist across your organization. Move what you want to keep to a central repository and delete the rest.”

4. Making information easy to recall. Treagust writes, “Businesses must be prepared to provide detailed reports to any individuals whose data lives in the system, upon their request. This includes rationale behind why the data is being held, where it’s being used and how much storage time is left on each item. … The challenge is ensuring all personal data is stored and tagged correctly. Getting this right requires a critical look at the company’s data collection and storage processes.” Lavenda adds, “To be compliant, you will need to confidently collect data from all your systems about a specific customer. This may involve collecting data from multiple systems, so have the technology and processes in place to do so.” This will be a much harder challenge than most companies realize. Analysts from Coseer explain, “Businesses don’t even know which documents may contain personal data outside of structured databases. There is no scalable way to this manually, or using traditional software.”[8] That’s why they recommend companies invest in cognitive technology.

5. Automating data maintenance. Treagust writes, “It’s critical that data maintenance processes are considered for all individuals who have data within the system, in order to maintain their records. A way to ensure this is to allow internal subjects to update their data on their own using self service, and for updated processes to allow external subjects the ability to have their data updated.” Lavenda adds, “Personal customer information … must be recorded centrally, have permissions and metadata tags applied and be destroyed when no longer required. Don’t keep paper records, and implement strict, automated processes about how long you hold onto this information and when it’s no longer needed.” As noted above, analysts from Coseer recommend investing in cognitive technologies. They explain, “Businesses want their investments to be future proof. The patterns and lists that identify sensitive data today will very likely change in the coming years. … The nature of the business may change as well. Businesses need something that is self learning and can adapt with changing nature of information. In short, they want cognitive computing.” Cognitive computing can help ensure data processing is GDPR compliant. Treagust explains, “Data should be processed in accordance with the legal grounds set out in the GDPR, and in compliance with the wishes of the data owner. Ensuring data collected is only used for the purposes given requires changes to processes that involve accessing data prior to taking an action, such as e-mailing or calling a data subject. This requires extra data about allowable actions to be collected and stored which ensures automated processes only pick up compliant data for complaint actions.”

6. Safeguarding data. Lavenda observes, “Under GDPR, companies must store any data they collect via internal systems in a secure platform. Assess your current cybersecurity measures, make sure basic security procedures such as encryption and password protection are in place and then promote security best practices amongst members of your organization.” Pamela S. Hrubey writes, “Rather than fearing GDPR, organizations should embrace the legislation and use it as a catalyst to improve information security strategies and to create a new path to future revenue growth.”[9]

Chances are you’re not going to be able to implement those suggestions if you are only now getting started. Nevertheless, starting now is better than procrastinating further.

Footnotes
[1] Bob Violino, “Most firms still unprepared for fast-approaching GDPR mandates,” Information Management, 6 March 2018.
[2] Steven Norton and Sara Castellanos, “Companies Scramble to Cope with New EU Privacy Rules,” The Wall Street Journal, 26 February 2018.
[3] Dropbox, “Where does the GDPR apply?CIO Dive, 26 March 2018.
[4] Alex Hickey, “Hilton to pay $700K in data breach fines, but it could be much worse,” CIO Dive, 6 November 2017.
[5] Steve Treagust, “A tactical 5-step model for achieving GDPR compliance,” Information Management, 15 March 2018.
[6] David Lavenda, “7 steps to ensure an organization is GDPR-ready,” Information Management, 27 March 2018.
[7] Lindsay McGettigan, “Three Tests That Can Save Your Marketing Personalization Strategy,” MarketingProfs, 26 March 2018.
[8] Staff, “Why must You Use Cognitive Computing for GCPR?” Coseer, March 2018.
[9] Pamela S. Hrubey, “Why GDPR is the best opportunity data managers ever had,” Information Management, 28 March 2018.