For all the procrastinators, here’s some GDPR triage
If you’ve been slow to comply with the EU’s personal data requirements -- or if you don’t know where to begin -- here are a few suggestions.
Perhaps your company hasn’t really done anything to get ready for the General Data Protection Regulation (GDPR), which goes into effect about two months from now.
In that case, it may be time for GDPR triage.
Tim Jesser, director of product marketing for Stockholm-based software asset management firm Snow Software, has a few suggestions. His background includes data security and software management.
First, he told me, “ignore the alarmists.”
“The enforcement won’t be that bad [at first],” he said, “because [the maximum fine] equal to 4 percent of annual global revenue or 20 million euros is for repeat offenders.” Of course, there won’t be many repeat offenders at the beginning.
Next, get a realistic sense of your exposure.
At one end of the spectrum, the most liable companies are those with presences in the European Union (EU) that process personal data from EU citizens.
At the other end are companies elsewhere, with no EU presence, who may inadvertently process personal data of EU citizens without knowing it.
The basic terms
Virtually every company with online activity is somewhere on that spectrum. But even if you’re on the less-exposed end, keep in mind several things.
EU citizens can sue any company in European courts for GDPR privacy violations. Although such litigants are likely to pick their targets carefully, this means that no company is fully immune — even if the GDPR-enforcing authorities are on the other side of the world.
And keep in mind that consumer tolerance for inattention to personal data may well have reached its limit.
The reaction to the Facebook/Cambridge Analytica scandal, for instance, is just beginning to kick in, there continue to be massive data breaches reported nearly every other week, and the ad-blocking trend continues.
All of which means that the following specific steps are desirable and useful even if the GDPR police or litigants never come knocking on your door.
Jesser advises that all companies become familiar with GDPR’s basics, starting with the terms that are now becoming common. There’s personal data (compared to the US’s “personally identifiable information,” or PII), data portability, consent, legitimate interest, “privacy by design,” Data Protection Officers and the like.
In particular, try to assess if/when you will need user consent and how you are going to get it, store it and disseminate it. There are a variety of online guides, including ours. As you consider mechanisms, recognize that the Interactive Advertising Bureau (IAB) and Google are among those that may be offering systemwide software solutions for managing consent.
Then, make sure you understand completely, and in detail, where every bit of personal data resides in your company.
Security appropriate for risk
“One of the mistakes organizations are making,” Jesser told me, “is they think they understand their system, but they have [applications and data sets] they don’t know about.” This is particularly true with companies that have migrated to the cloud, where personal data lives in someone else’s environment while its earlier versions may live on premises.
Even without GDPR, a modern company should have a complete mapping of where personal data resides. If you don’t know, hackers certainly will.
This should lead to a full audit of personal data flow in your company, so you can take protective measures along the paths and be prepared to completely delete personal data if so requested by a user. Eventually, you will want to set up a streamlined method for such management and deletions, of course, but first, understand it.
In particular, understand exactly how personal data you’re collecting, processing or storing is shared with other companies and what their GDPR-specific policies are. Data leakage is one of the biggest issues for the successful management of personal data.
Make sure there is security appropriate to the risk, Jesser advises. Don’t just say, “We have a network firewall,” for instance, and leave it at that. Equifax apparently thought it had thrown enough security at its massive store of personal data before it was hacked, even though it didn’t encrypt the data.
Understand how every new project, software development or policy impacts your collection, processing and storage of personal data. In other words, start developing the habit of seeing how every company decision affects personal data, just as you assess how every decision affects your bottom line.
And set up ongoing documentation of how personal data is managed. GDPR doesn’t spell out every kind of implementation, but it does require that companies take full responsibility for managing personal data and be able to show their due diligence.
Of course, the above is a lot to do in eight weeks. But perhaps this gives you some idea of where to get started.