Business media is abuzz with chatter about the EU’s upcoming General Data Protection Regulation (GDPR). Everyone knows that, like the proverbial winter, it is coming, but there is still much confusion about what it means and how organisations should prepare.
At its core, GDPR is an evolution of its predecessor, the EU Data Protection Directive of 1995, and introduces new and more extensive requirements pertaining to the collection, use and management of personally identifiable information (PII) of EU residents.
Since the advent of the information age, companies have thought of PII as their property – an asset obtained, retained and used at their sole discretion. However, unchecked stockpiling of personal information today can quickly turn valuable business data into a growing liability tomorrow.
A recent string of high-profile data breaches has alerted consumers to the risks they are facing, and they want more control over who uses their personal data – and how they use it. Besides dealing with unhappy customers and the persistent threat of data loss, companies today are also facing increased attention from regulators.
Key GDPR facts
- Who is affected by GDPR?
GDPR affects companies both inside and outside the EU.
Put simply, any organisation collecting, processing, or using data of EU residents is affected. Whether you are a university in the United States or an online retailer based in South Africa, if you have customers, students or patients who are EU residents, you have to comply with GDPR.
- How are they affected?
Systems, people and processes within the organisation are key to GDPR compliance. As is the case with other information-related regulations, technology is only part of the solution enabling compliance. The best technology in the world can be thwarted with poorly designed processes and untrained workers.
- What is the impact?
Organisations that don’t take appropriate steps to protect personal data under GDPR may face fines of up to 20 million Euros, or 4 percent of their total annual revenue. Legally, choosing not to comply is an option only for organisations that never intend to collect data of EU residents.
How to move forward
1. Take stock
Follow the path PII takes through your organisation. What systems, roles and business processes touch it? When and where is it acquired, transferred, replicated or stored? To become compliant, you will need to audit your information processes and optimise them to reduce the risk of exposure and improve governance over every stage of the information lifecycle.
Be cognizant of the fact that the PII your company collects and manages may flow beyond your organisation’s firewall to third parties like partners or cloud software providers. Be sure you understand their compliance practices and verify they are adequate.
If your systems and processes involving PII are numerous and complex, you may want to engage a business or legal consultant to help ensure you cover all angles and leverage your industry’s best practices.
2. Define policies
People are a key factor in maintaining compliance. The most stringently controlled systems and processes can be easily undermined by employees who do not know – or choose not to follow – compliance requirements. Establishing a policy that reinforces compliance requirements and training employees on that policy demonstrates Due Care in creating a compliance culture.
Also, monitoring, auditing and testing adherence to the policy by employees demonstrates Due Diligence. Being able to demonstrate Due Care and Due Diligence can go a long way in defending against liability claims.
3. Let technology do the heavy lifting
Information management technologies have long helped companies meet compliance requirements. In fact, given the exponentially growing volume of business data, it would be virtually impossible for a modern organisation to maintain compliance manually, without the help of information management tools to track and automate key compliance tasks.
While there is no “magical app” to singlehandedly make your organisation GDPR-compliant, a capable enterprise information platform can help you ensure that your processes and users are set up to reinforce compliance rather than compromise it. Some of the technology-enabled features to consider are:
- Automated document retention management to facilitate proactive deletion of data once it reaches pre-determined end of usable life
- Multi-faceted security features to prevent unauthorised access to – and replication of – protected data
- Dynamic privacy features like automated redaction and data masking to give employees and partners access to the information they need without disclosing data they are not authorised to see
- Auditing and reporting features to ensure your organisation can monitor and prove compliance
It’s worthwhile to note that currently, there is no certification for software products as “GDPR-compliant” or “GDPR-certified.” The effectiveness of any software solution in helping your organisation maintain compliance will depend largely on how the solution is deployed and configured, and on the processes and policies within your organisation.
Yes, there is actually an upside to pursuing GDPR compliance! Organisations routinely spend millions on optimising transactional data management in order to improve customer experiences and profitability. By contrast, they have largely neglected lifecycle management of customer data.
For many organisations, as long as customer data gets in the hands of sales and marketing, little else seems to matter. This often leads to undisciplined and decentralised treatment of this important data, leaving it scattered across the organisation and increasing risk of liability due to a data breach.
PII is the most common target of data breaches, yet this type of information is often the least governed. Think about your own experiences when you have had to share sensitive information. What happened to the photocopy of your state-issued ID when you opened a bank account? What about the Social Security number you had to write down on the healthcare provider’s intake form?
Today, most organisations’ business processes are not structured to prioritise good information management practices. However, proactively managing and destroying this data can have several significant benefits to the organisation by:
- Reducing exposure surface in case the company does fall victim to hacking or unintentional leak
- Decreasing costs associated with storing of information past its retention period
- Improving organisational effectiveness by maintaining good hygiene of customer data
- Increasing customer trust by following or exceeding mandated data protection standards
The road to GDPR compliance may present many challenges and even uncover some unpleasant surprises about your organisation’s data management practices. But, in the end, your company just may come to realise that taking new steps to respect and protect your customers’ data is just good business.