It’s the morning of May 18, 2018 and you arrive at your desk to find a message from a former job applicant in Germany asking for an inventory of all Personally Identifiable Information (PII) you have for him, and a request to delete all his information. There’s also a notice from IT saying they have discovered a data breach that they believe has been contained, but they won’t be certain until middle of next week.
How urgent is this? How long will it take you to find every bit of PII on the client? How serious is the data breach if it’s probably contained?
Information about how to comply with European Union (EU) General Data Protection Regulation (GDPR) has been available since April 2016, yet there are still companies that will be surprised when May 18 arrives. Mika Javanainen, Vice President of product management at M-Files says that there is still time to develop policies and processes to comply. Finding all PII, however, can be a daunting task:
“The May 2018 deadline to comply with GDPR is now just under year away, but the fact is, many US companies with an EU or UK presence are simply not ready or may not understand the full scope of the GDPR. These news rules represent some dramatic changes in the way businesses are required to handle data.”
Non-compliance will be costly, and delayed responses to requests can come with steep fines, he said:
“In addition, GDPR processes for reporting breaches will be much swifter in 2018 – in three days’ time. This is much faster than reporting policies in the US, and failure to adhere can result in fines of up to 4% of the company’s entire worldwide revenue, or 20 million euros, whichever is greater.”
Essential Policies and Processes
GDPR was developed to simplify data privacy laws across Europe and to allow EU citizens a way to control their PII. “This changes the concept of personal data, expanding its definition and asking companies to gain people’s consent to use their data.” To comply, organizations will need to develop policies and procedures for handling PII that include monitoring compliance with the new regulations, he said.
“First of all, you have to explain why are you collecting personally identifiable data, for what purposes, how long [you plan to keep it], and how you’re going to store it,” said Javanainen. Processes for timely reporting of data breaches also need to be put into place, as well as training of staff.
Companies will also must be able to quickly and comprehensively find and access PII in all areas where data is stored. For some, this is a very complex problem to manage, he said, because, it’s rare that a company has just one or two systems where they might have customer data, and in big enterprise, some have thousands of systems. “We have been discussing with customers who have identified 6,000 different locations for where they might have this data.”
Data breaches become more complicated under GDPR, because breaches must be reported quickly, he said:
“That’s the worst thing that can happen to you pretty much in this context. It’s much worse than a citizen coming to you and asking for what do you have. But when the data breach happens to you, then all of a sudden, you might lose 60,000 customer records or whatever the number is. Now, you have to inform all these clients that, ‘Hey, we have lost your records, or compromised them.’ The reputation risk there is way bigger of course as you might imagine.”
GDPR Defined
The General Data Protection Regulation (GDPR) set by the EU Commission in April 2016 becomes enforceable in May 25, 2018. This regulation covers every EU citizen, and is enforceable in any country where an EU citizen does business. “So even if you’re an American business, as long as you are doing business with European customers and you’re storing data about European citizens, you have to comply with this regulation.”
GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy. GDPR affords EU citizens new rights to privacy, he said. “They can, for instance, approach any company and ask, ‘Okay. What information do you have on me?’”
This also includes the ‘right to be forgotten,’ which requires companies to delete information about a customer on request, he said:
“For instance, if you signed up for a newsletter from a US company as an EU citizen, you have to write to us, ‘Okay. So how much information do you have on me? Do you have – maybe – the city where I live in and email address?’ and so forth,” he said. “And then you can request to be ‘forgotten,’ in a way, so these businesses would have to remove those records from their databases.”
There are many potential impacts for businesses that manage customer records, “Or any other details about EU citizens, their social security numbers, email addresses, or anything else that will help to identify an EU citizen,” he said.
Penalties for Non-Compliance
The impact of non-compliance is quite significant, he said, “You may get a fine of up to 2 million euros or 4% of your revenue whichever is greater. It’s a big financial impact, or could be, potentially, if you’re not complying with this new regulation.”
Policy Response to GDPR
Along with policies and procedures for answering EU citizen requests about PII, organizations will also need clear procedures for how they will respond to data breaches or hacking, he said. “What are your responsibilities as a data processor to inform these parties whose data might have been compromised?” Compliance may entail additional staff time. “Some companies will need to appoint a data officer,” he said. “That’s an appointed person who needs to get trained and who is responsible for all these processes getting implemented within a company.”
Know Where Your Data Is
He says it’s essential to learn the location of all customer data in all systems. “That’s the first action that any company would need to do.” Creating a risk assessment with a guess about what kind of data is likely to be requested how many requests might be expected, “gives you the priority list to start automating these systems.”
Locating all customer data and ensuring GDPR compliant management can be a daunting task, but there are options for automating those processes. Javanainen says that M-Files uses Artificial Intelligence to streamline the process of locating and managing PII, “Which often resides in a host of different systems, network folders and other information silos, [making it] even more challenging for companies to control and protect it.”
“Work with us or a similar vendor to first assess what you have.” M-Files, for instance, provides tools to track all the different silos where data lives. With all repositories defined, “You can then start indexing and crawling that data so when the request comes in, you can actually very conveniently deliver the results.” Not only can automation help with locating and managing those critical files, it can also help prioritize tasks for implementation. “It’s not necessarily so much about actually chomping on and implementing something real quick, but it’s first about getting an understanding about what do we have, and what do you do first?”
“With AI, you can quite easily recognize concepts like ‘person names,’ which is pretty important in this context,” he said. To find out how many documents you have that refer to persons (as opposed to companies), or to find out how many documents, social security numbers, phone numbers you have in any one repository, “You can combine those analytics, and then begin to understand that the odds are that we have a lot of [personal] data in this repository, which provides a way to prioritize in the context of GDPR.”
In some companies, for instance, employees might be using Dropbox to store their CV, he said. “That’s probably something that the IT doesn’t want from the security perspective.” M-Files might recommend moving that data behind a firewall and encrypting it,” he said. “That’s part of the analytics offering that we can bring to the table.”
Mitigate Risk
The GDPR changes how companies should look at storage of data, he said. The risk of data getting compromised is increased based on how is stored, in how many different systems it’s stored, how many people are involved in that process, and how long it’s kept. Javanainen recommends, for instance, now that PII on job applications is regulated under GDPR, a company may want to routinely get rid of that data fairly quickly to avoid risk of data breach or audit. “There are those kinds of procedural things that organizations will have to really think about.”
There are instances where completely removing all data is impossible, he said. “You have to retain some data like billing records [and] there might be conflicting regulations,” such as records retention laws. “Now, if the citizen asks you to remove that, it’s going to add a lot of complexity to the process,” in terms of understanding what data can be removed from the system and what cannot be removed. “There will be conflicting situations where this regulation says something, and then you might have an Accounting Act or something in a local or state [regulation] that says something else.”
Another way to lessen the impact of a data breach is to encrypt your data, he said. “What we do on that front is first of all, provide encryption services so that the data is not unencrypted on those different repositories.” So, when the breach occurs, the likelihood of the hacker getting the data in unencrypted format is much lower or non-existent. We just make it much more difficult.
“For some customers, it’s a little bit similar to HIPAA compliance in the US back in the day when that came about. I don’t think that the health providers were all that excited about that, but now, the way they look at it is ‘this is some extra work that I have to do on top of providing these health services,’ and that’s the case here as well. But it can be also used as an opportunity to really review your processes and streamline some of that, because if you have to do this anyway, you probably want to do it in a smart way that’s sustainable and doesn’t distract [from] your business.”
Photo Credit: kb-photodesign/Shutterstock.com