The countdown to the May 25, 2018 General Data Protection Regulation (GDPR) enforcement deadline is almost at zero, causing some organizations to panic, and others to procrastinate, hoping for a miracle.
A whitepaper by ASG Technologies compiled with Forbes entitled Make Time for GDPR includes recent figures from Veritas suggesting that:
“86% of organizations worldwide are concerned that a failure to adhere to GDPR could have a major negative impact on their business. More sobering perhaps, is the claim that nearly 20% said they fear that non-compliance could put them out of business.”
In addition, the study indicated that “a whopping 47% of organizations globally have major doubts that they will meet this impending compliance deadline.” Further concerns voiced in the study show that companies fear the impact of non-compliance on their reputation.
The key tenets of the GDPR govern these areas:
- Data privacy as default
- Explicit consent required
- Control of data placed with protected individuals
- Controllers and processors have specific responsibilities
- Data breach reporting
- Data privacy officer designation
- Privacy impact assessment requirements
- Limitations of data flow outside of protected areas
- Substantive fines for non-compliance
- Guaranteed provision of fundamental rights under GDPR
Wringing your hands won’t get you any closer to compliance, but getting help will. There are tools and organizations that can help with implementation, but you’ll need to act soon if you are relying on a miracle.
In a recent DATAVERSITY® interview, Rob Perry, VP of Product Marketing at ASG Technologies, discussed how companies can move from procrastination and panic about GDPR to a practical response.
ASG provides specialized solutions that can map, manage and govern data, including personally identifiable data (PID). According to ASG Technologies, its solutions can help create a structured management process for personal data, set up a business glossary, trace lineage backward and forward (even across datastores), build in reports, dashboards and other deliverables, increase the value of data, meet all regulatory obligations, and avoid penalties.
Perry breaks compliance down into four P’s: Preparation, Production, Performance, and Persistence
- Preparation
Preparation is the first step, where employers focus on educating teams and evaluating technology to create a baseline they will work from, and also where Perry says that most companies are focused. Efforts tend toward getting some kind of automated process in place to understand what kinds of data they have and where it’s located.
“It’s kind of like tough love.” He hearkens back to the introduction of workflow, when the process of integration involved a granular evaluation of paper-based processes.
“’Why do we have seven people reviewing this? We only need three, right?’ Because nobody really looks at workflows in that way, but if you’re going to automate it, you’ve got to really think about who’s doing what. So, in some ways, Data Governance really does help you manage your data better.”
Regulations that require the implementation of better governance can force a company to illuminate areas where it is vulnerable before disaster strikes, and provide an opportunity to prevent future losses.
“Put better processes in place. Put better Data Governance in place. Think about how you’re using data. We hear about some data breaches where it’s just carelessness that causes it. It’s not even some sophisticated hack, it’s just complete carelessness.”
- Production
“Production is the place where all these things happen, and you’ve got to have those processes in place to manage the data effectively on a day-to-day basis,” he said. During the production stage, organizations begin to adapt, shifting data collection, processing, and application practices to be more in line with the new regulations. When a customer asks to be forgotten, for example, the company’s newly-developed policies and processes start working. As applications are developed, “security by design” ensures that compliance with the regulations are built in to that process.
“The regulation requires that you have [specific] accessible language about what you are going to do with the data, and why you’re collecting it.” For example, the age a person is considered a minor varies by country, which must be factored into your policies about collecting data that will now need to be signed off by an adult. If the data about that minor is transported to a processor, you are responsible for ensuring that the processor, “lives up to the standards and expectations of the GDPR,” which often entails putting binding contracts into place, he said.
“And when you design applications, you [need to] do privacy impact assessments, and understand data minimization, as the regulation specifies: that you make sure you only use and access the minimal amount of data necessary for the process, that you understand where the vulnerabilities are, that you protect data along the way of these processes, and then, [you need to understand] the whole rights of the individual: the right to be forgotten, the right to move your data, or the right to update, know what you have, and correct the data if it’s wrong.”
Gain an understanding of the lineage so you can put policies in place and ensure compliance, he said. “Trace it through the organization – how is it being used? where is it being touched? Do we have all the right safeguards in place wherever it is?”
- Performance
Performance is the stage where organizations begin to implement oversight and reporting processes that will prepare them for audits and breaches: “The overall kind of monitoring. You might put it in the Governance category,” he said. This stage is where day-to-day processes are put into place to keep audits and compliance checks from being stressful events, he said.
“One of things we talk about with our data intelligence products is that if you implement it, you structure things, you understand the data, and you understand the processes, then you become kind of audit-ready. So, if they knock on your door, you don’t have to dispatch 50 people to go through everything, build spreadsheets, and put together some reports. [Instead,] you basically understand your data at a much higher level. And you’re ‘audit ready.’”
Perry says that breach policies should also be put into place during the performance stage. Procedures for finding how a breach occurred and where and when to report it: “Just making sure that you can perform within the expectations and the standards, and that you’re on top of that process, and ready to meet all of the requirements.”
He warns that ignoring the compliance deadline could have consequences beyond the steep fines. “I wouldn’t be surprised today if they were to make an example out of a couple of companies, then negotiate down to something else, and remediation. I wouldn’t be surprised if they made a public spectacle. That’s just one of the issues, too, so, not only do you have a fine, but your reputation is harmed, too.” That reputational harm can drive customers away, drive profits down, and reduce marker capitalization.
- Persistence
Persistence is the final step, when organizations begin to automate and monitor these processes. “Persistence takes a lot of diligence to continue the process, to continue training,” and requires a chief privacy officer in charge, “Just having a kind of a mental persistence to be on top of this, and keeping everyone aware of what’s going on” through regular reporting, he said.
“It’s not a one-time thing [where] you become compliant and then, you’re like, ‘Psssh! That’s done, we can move on now.’ This is something that’s going to live with you as long as you’re doing business. Because every time you collect data, you’ve got to make sure that you have the right to use it, that you disclose properly how you’re going to use it, so that if somebody asks, you can prove it. It really needs a kind of ‘stick-to-it-iveness.’”
At first, the focus is on creating an infrastructure and automated systems to make compliance easier, but after that, he said, “You have to stay engaged and make sure everybody else is engaged with it. It’s not just ‘check the box, we’re done and move on. Compliance has to become a way of life’”
Obstacles
Perry said that big companies, “have so much data and they need to get a handle on what they have, what they don’t have.” Before GDPR required companies to know where they have personal data stored, one of the tasks ASG would help with is identifying orphaned data, a process that showed how easy it is to lose track of data without managing it.
“You look at it and you find nothing actually uses this data, it’s just sitting there.” Discovery of personal data everywhere in the organization is essential because, “You can’t protect it, you can’t treat it properly, and you can’t use it properly if you don’t know where it is,” he said.
“One of the challenges, too, is that sometimes data, as it moves from repository to repository, application to application, names change, field names change.” A field called ‘E-mail Address’ at some point gets changed to ‘User ID,’ so you’re not making the connection “that it still contains somebody’s e-mail address in there. Just making sure that you really understand how the data is stored all over the organization is a critical step.”
Change Culture
Organizations that have a company-wide shared understanding of the purpose of GDPR will find it easier to succeed. “The rights of the individual are driving how the data is used,” he said, because the GDPR requires the recognition that personal information “belongs to the individual, not the company.” Perry said it’s important to get to a place where everybody is thinking about it and knows what to do.
“This is an area where [US] companies are really starting to perk up and say, ‘we’ve got to do something,’ and they’re recognizing that automation and tools like [those that] ASG provides can be a big part of the compliance process.”
Photo Credit: Ivan Marc/Shutterstock.com