We are now less than a year away from the implementation of the European Commission’s General Data Protection Regulation (GDPR) on May 25, 2018, and the stakes for companies are high.
First, the GDPR “applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location”.
Second, non-compliant organizations can face devastating fines as high as four per cent of the annual global turnover or €20 million, whichever is higher. Third, preparing to meet the requirements of the GDPR cannot be done overnight simply by deploying security software, which, unfortunately is where too many GDPR response discussions start.
The good news is that companies that begin now can make tremendous progress toward creating a data infrastructure that dramatically reduces the likelihood of GDPR non-compliance and that minimizes the financial impact even if something goes wrong. Here are the five key steps organizations must take to get ready.
Unify data management strategically
In the face of the GDPR, other evolving regulations, and advances in technology, data management and governance practices must be unified and auditable across all geographies and lines of business, and across on-premises, private cloud, public cloud, and hybrid infrastructures. The first step to achieving this is recognizing that every executive, manager and user has a stake in data management. C-level champions are essential, and CIOs, CDOs, and privacy officers must take the lead. This initiative must directly connect the data management, information security, legal and information governance teams, along with the lines of business.
Locate and understand the flow of all data
Stakeholders must work together to locate all data stores with collected information (such as customer data), created information (such as work product that might include customer data), and derived information (such as the results of analytics and machine learning that might include customer data).
They must understand the flow of information – the movement of data in business processes across multiple stakeholders (such as corporate counsel, strategic partners, etc.) and systems (such as legacy systems, cloud service providers, PCs, BYODs, etc.). Data mapping is an essential tool to create a visual depiction of how personal information flows across systems and devices as part of business processes. The map can include an overlay of GDPR requirements. In fact, the careful analysis of data flows in business processes is an essential component in our GDPR readiness assessment activities to ensure that our clients gain a sound understanding of their information landscape.
Evaluate all data
Only with the ongoing efforts of the first two steps can stakeholders evaluate the purpose or use of data and the regulatory obligations associated with it. Business users need to understand the value of the information they use to the organization. This is essential to helping all the key stakeholders (CIO, CDO, Privacy Officer, Legal, and InfoGov) assess:
- What information is subject to GDPR?
- If data must be preserved, for how long? Is there a conflict between preservation requirements and GDPR requirements? If so, how will it be resolved?
- Is some data of “Legitimate Interest” to the organization for possible exemption from certain GDPR requirements (for example, GDPR Article 6 Lawfulness of processing)?
- Has consent been obtained for the intended use of the information (GDPR provides clear requirements and conditions to gain and establish consent)?
Dispose of all disposable data
Now that value has been assessed, it is possible to get rid of all data that has no business, legal or regulatory value, as well as all data that must be deleted to comply with the GDPR. In addition, now that IT knows where all the data is located, it is possible to ensure the proper deletion of all relevant data. This is critical to minimizing the impact of breaches and GDPR non-compliance. Moving forward, the deletion of obsolete data must become an integral part of operations to ensure that companies dispose of records or data in a controlled, legally defensible fashion.
Protect what’s left
This is where most GDPR preparation discussions start, but only after following the first four steps is it actually possible to:
- Properly track the collection and movement of data
- Effectively control access to sensitive and private data
- Knowledgeably employ the most appropriate vendor security solutions, such as firewall, anti-virus, anti-phishing, etc.
- Automate disposal
- Provide employee training on data protection and privacy that has a chance of being effective
- Prepare for crisis management
- Establish processes and procedures to enable the organization to react to inquiries by authorities or individuals within the time frames defined in the GDPR
The inevitable GDPR time bomb is going off soon, and doing nothing to prepare for it beyond some new security measures and training is a recipe for costly data disasters. A real preparation effort will take time, and the sooner you start on this iterative journey, the better the position your organization will be in to avoid GDPR penalties or a least minimize their impact.