Whether you work with IT, compliance or at C-level, you would have heard of the new EU General Data Protection Regulation by now. With the compliance deadline of May 2018 fast approaching, hopefully, you have already started taking necessary steps to prevent your company from incurring massive fines. How do you cope with such a daunting task?
Staying ahead of the game when it comes to the EU General Data Protection Regulation (GDPR) is necessary in a world where the protection of personal data is a key focus area for legislative entities around the world. Though you may be tempted to think this is mostly relevant for industries where massive amounts of personal data are a crucial part of the service they provide – e.g. financial institutions, health care providers and others - that is not the case. In the following, I would like to provide you with insight so that you are better prepared.
The GDPR legislation – the abbreviated version
Protection of personal information and individual rights to privacy are high priorities for the EU. After the adoption of the GDPR, every citizen, in fact every consumer will gain new individual rights. For example, you have the right to know how your personal data is used, to give and withdraw consent and you even have the right to have your data completely erased upon request. Companies are required to assign a Data Protection Officer and must report all security breaches involving personal data to the authorities within 72 hours. If they do not, they face fines of up to 20 million EUR or 4 per cent of their annual global turnover, depending on the type of breach.
In other words, this is serious business. All companies doing trade within or with the EU have until May 2018 to comply with these new regulations, and while this deadline may seem far away, it is anything but. This regulation has a profound impact on the management of data, and most companies might need significant time to implement solid solutions and make organizational changes to accommodate GDPR requirements. Though some may be tempted to handle their compliance workload in manual processes and cataloging the whereabouts of personal data in Excel spreadsheets or similar, they will sooner than later envy those who have implemented automated systems that are scalable and easier to maintain.
Why is this such a big deal?
In an age of ever-increasing mountains of data and the associated potential for abuse, it is key to ensure safe and proper handling of personal data. This is the aim of the EU, and the regulation will challenge many companies because it implies a stronger focus on data governance. Companies are not only obliged to have clear documentation and policies on how they handle personal data, they must know the whereabouts of data, its usage and who is accessing it. That includes duplicate data that is copied into different systems in the organization. Without this traceability, it is operationally impossible to accommodate the new rights of the consumer should he/she wish to gain insight in usage, or to be completely erased.
The task becomes difficult for these reasons:
- Personal data can be elusive - Column headers might not be indicative of column content and personal data might reside in free text fields, in unstructured data formats and web streams or hardcoded into interfaces of legacy systems. Furthermore, personal data is also about context. On its own, it could be meaningless or without risk, but pieced together with other personal data, it could become high risk because you can link it to a real person. Therefore, you need to take careful consideration to assess personal data, evaluate the risk and implement mitigation tactics.
- It needs to be ongoing – This is not just a matter of fix and forget. With GDPR, the less governed your data is, the harder it is to stay compliant because your personal data could be in new data stores that have not yet been cataloged. Systems have a habit of changing to meet new market and consumer trends, data is migrated and therefore it is vital that your companies’ policies follow suit.
- There needs to be an organization-wide focus – If a consumer withdraws consent, the erasure of the consumer’s data is the consequence of this. That could prove tricky if duplicate consumer data resides in various formats and systems. Therefore, when striving to comply with GDPR, many will welcome the added benefit of improving their data quality and data governance processes throughout the organization. This in turn will benefit users analyzing data, thus providing the foundation for faster and better business decisions.
Recommendations on how to become GDPR compliant in time
For all the above reasons and more, companies and management should act now to meet the May 2018 deadline for the enforcement of GDPR. In our work with our customers today, we recommend these five steps:
|1. Access||Access data sources for personal data investigation or business use.|
|2. Identify||Find, catalog, and analyze personal data attributes, patterns, and contexts to evaluate need for de-identification and risk assessment.|
|3. Govern||Implement data flow analyses & data protection impact assessments, incident management and policies management. Provide traceability through lineage and a personal data term glossary to educate your employees. Provide 3600 view to support right to be forgotten and consent.|
|4. Protect||Implement data protection safeguards and apply privacy-specific measures such as pseudonymization and anonymization.|
|5. Audit||Log, monitor, and audit usage of personal data to demonstrate compliance with privacy controls and prove that personal data is not at risk.|
In a nutshell, SAS provides the technological basis that supports your compliance processes and actions so that you can provide the necessary information to the authorities in a timely manner when asked to do so.
I hope these tips were useful, and do not hesitate to reach out to me or my colleagues to hear more about how SAS supports your efforts to become GDPR compliant in time.
Download a fact sheet about 5 steps to prepare your data for new regulation.