The General Data Protection Regulation (GDPR) is set to go into effect on May 25, 2018, and yet many companies are still wondering if GDPR applies to them. The short answer is that it probably does. The GDPR requirements are incredibly broad, impacting any organization that stores data on Europeans. This includes the bed and breakfast which just received a reservation from a European, a financial services company with international customers, big-box retailers, and manufacturing firms with a global client base. Each must adhere to the GDPR requirements or face heavy penalties.
GDPR is not your typical compliance package. Sure, it includes many of the requirements of other large regulations such as HIPAA, but it also contains items that are important mainstays of European privacy. This offers companies a chance, not only to become compliant but to address the desires of the European customer base. Companies that embrace the European view of privacy can establish a greater degree of trust with a valuable customer base and begin to build the trust and brand loyalty that leads to longstanding customer loyalty and evangelism.
General Data Protection Regulation (GDPR)
So what does this European view of privacy look like? It is comprised of consent, the right to erasure, and the right to data portability.
GDPR mandates that companies obtain consent from individuals before storing their information. Consent must be specific for how the data will be used. Organizations must first spell out how they will use an individual’s data and then obtain the approval for that use. Data use is then limited to only what the person allowed, and the organization must keep records on how information is used and processed. This report must be produced upon request by supervisory authorities, a local governing body that the business has associated with for purposes of compliance and reporting.
Right to erasure
The right to erasure, also known as the right to be forgotten, requires that companies remove the data they have on a person if requested by the individual. Customers want to be able to utilize services and understand that those services may require them to divulge personal information. However, once they have received the service, they desire the ability to have their data removed out of a concern that the data could later be used for other purposes or lost in a data breach. The right to erasure gives Europeans more control over how and when their data is used.
Right to data portability
Under GDPR, individuals have the right to data portability. This allows customers to move between vendors without the risk of a vendor holding data hostage. Companies must facilitate the transfer of a person’s information from their systems to another system using an open standard electronic format that is in common use.
Recipes for Success
The road to GDPR compliance starts with some key steps. The first is to establish a steering committee, next to name a data protection officer, then conduct a data map and lastly, perform a risk and gap analysis.
The first function is to establish a steering committee. Senior management needs to be a driver behind GDPR compliance. This comes out of a vision for how GDPR compliance can position the company to be most successful, not primarily as a way to avoid fines.
Corporate executives are now approaching GDPR from the perspective of, “If we do not do this, we’ll lose business.” Within the EU, for example, the ability to compete for new government contracts or grants is now based, in part, on the ability of applicants to show full GDPR compliance. Business partners, when considering potential new relationships, are currently looking carefully at whether or not possible partners are GDPR-compliant.
Data protection officer
Second, name a data protection officer when one is required. GDPR requires public authorities and organizations to have a data protection officer when their core business involves large-scale processing or monitoring of individuals. The data protection officer must be a senior person in the organization who reports to executive management. Furthermore, they must have the freedom to operate independently from the rest of the company and be provided with adequate resources to perform their role.
The third function is data mapping. The process identifies where data resides, what type of data it is, how it is used and how it is secured. Many companies lack clarity on how much data they are collecting, where they are storing it and how they are using it.
By some accounts, the “data for the sake of data” mentality that has come to define the big data era has led to a situation where 30 to 40 percent of all data collected by companies is either redundant, obsolete or trivial. Many companies can realize new operational efficiencies when they perform a GDPR data map. This may include removing data they no longer need to reduce risk and the cost of managing the data or finding new ways to utilize the information they have to gain new insights.
Risk and gap analysis
The process of risk and gap analysis can lead to new operational efficiencies. Begin the process by determining what you are already doing and how that can be augmented to meet the GDPR requirements effectively. This includes more than just computers and servers, because private data could be stored or processed by a wide variety of devices. This includes IoT devices so companies should evaluate traditional computing devices as well as IoT for their privacy risk. Kemp also notes that legal opinions on GDPR should be factored in when considering the risk to the organization and its customers.
All these activities have the potential to lead to competitive advantage. Something very remarkable is happening in the way companies think about data privacy. Over the past few years, personal data privacy has transformed from a pure compliance or legal issue into an issue that now has the attention of the marketing, PR and product development teams. In short, companies are now creating data privacy strategies the way they once created an Internet strategy or a mobile-first strategy.
Companies might be able to create higher quality services based on the idea of offering superior data privacy than their competitors. In short, customers would be willing to pay extra for the peace of mind of knowing that their data is safely stored, collected and used. Privacy, viewed from this perspective, becomes an essential business differentiator and a source of new product innovation.
Best of all, companies that are GDPR-compliant will have the trust of their partners, vendors, and customers. In an era where more data is being collected by more devices than ever before, it is finally time to think carefully about the way that companies use all that data. As a result, it is time to welcome the new GDPR, not fear its imminent arrival.
GDPR is coming fast. Are you prepare for the changes? You might be closer than you think. Many large companies have been working on GDPR compliance for some time now, and they already offer mature product offerings that can help you become compliant efficiently and cost-effectively. The cloud, in particular, provides excellent flexibility and scalability to meet varying company needs with technologies that have already been designed to GDPR’s requirements.
This article was sponsored by TCDI, a cybersecurity, computer forensics, and eDiscovery company.