The Big & Scary Change to Data Privacy: How to Cope.
In less than 9 months, the General Data Protection Regulation (GDPR), the most important change in data privacy in 20 years, will take effect on May 25, 2018. The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and standardize personal data protection.
The new regulation will replace the current data protection directive of 1995, and is truly democratizing data privacy. Its objectives are to give European citizens control over their personal data and to simplify the regulatory environment for international business.
The business impact is serious: Unlike previous privacy legislation in Europe or elsewhere, the GDPR authorizes regulators to levy severe fines in amounts exceeding 20 million euros or four percent of annual global revenue, whichever is higher. And unlike the protection directive it’s replacing, the GDPR applies to all companies in all countries who handle data collected from residents of Europe.
The GDPR is the most stringent and comprehensive data privacy regulation to date, and there is no marginalizing the amount of time and effort it will take companies to properly comply. A survey by Experian found that only 9% of companies say they are prepared for the regulation, while 32% said their organization doesn’t have any plan in place, despite knowing the financial consequences of non-compliance.
Integrated risk and compliance management software is often the best solution to successfully meet such broad regulations, as it enables you to scope, prioritize, track, and report on the critical information that is scattered throughout your organization. To properly protect your data, you need to put in place a common risk taxonomy so that you can understand how this disparate information is connected. Below you’ll find some essential questions every company should ask themselves as they progress towards compliance.
1. What data is your organization collecting?
The GDPR separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights.
Many companies will find it difficult to even begin engaging the right processors to meet compliance because they are unaware of what personally identifiable information is being collected and who’s involved in that process.
The first step to reaching compliance is to determine the answers to those questions. Can your risk management software help you answer them with ease? Effective risk management software should lend you a transparent view into which areas of the business are responsible for collecting different types of data.
Once you’ve obtained this view, it’s important to have conversations with those in charge of handling the data. These conversations should pertain to what the data is being used for, how it is being collected, and whether it’s collection is necessary or not. (After all, you can’t be held liable for losing data you never had).
Your software should be facilitating these conversations. An effective compliance software should be able to send automated notifications and tasks that will ultimately help you answer any questions you have about data collection, maintain good governance over the collection process, and determine the priority of the data your organization is collecting.
One feature of the GDPR is “Right to Access,” which stipulates that companies must be able to provide electronic copies of private records to any individual requesting what personal data of theirs is stored and for what purpose. This is very different from the United States, where employees and other individuals do not have a legal claim to validate their information.
A key benefit of ERM software is that information about the data is housed in one centralized location, meaning that when a report needs to be generated, senior management will know which personnel is responsible for the data in question and who should be sent a task to compile this report. This requires robust permission access on an individual records basis, as the challenge is to give individuals access only to the information they are entitled to while preventing disclosure to others.
ERM software with taxonomy technology allows permissions to be highly granular based on identity and need-to-know parameters to protect privacy while providing transparency to stored information.
2. How is the organization securing this data?
The GDPR requires that data be processed in a way that ensures an appropriate level of security, including “protection against unlawful processing, accidental loss, and destruction of data.”
The problem most companies will face on the way to ensuring this level of security is that they are unaware of who has access to sensitive data. With cyber risk abounding and data breaches dominating headlines, your customers’ data privacy is paramount.
One important question to ask your software provider is how they manage third party vendors. Third party relationships are often responsible for handling sensitive sets of data. It is often the case that the organization has policies in place that stipulate how data should be secured. However, it’s one thing to have a policy in place, and another to ensure it is implemented.
Ultimately, your software should assist you in governing these policies by assigning accountability to these vendors. Robust platforms can task personnel with conducting tests and checks for each policy, which will let senior management know that security measures are both in place and operational.
The regulation also demonstrates a shift in data protection towards “Privacy by Design,” meaning that data protection measures must be designed into the development of business processes.
ERM software is your best bet to meet this regulation. Inherently, ERM solutions heavily rely on objective and inclusive risk assessments collected across departments. These assessments unify all areas of the business from the front lines to the board, meaning that risk managers can easily share security concerns with IT and front-line process owners for more informed strategic decision making and policy operationalization.
3. What response systems are in place if a breach should occur?
The GDPR mandates that a breach be reported to the supervisory authority and all potentially affected individuals within 72 hours of occurring.
A problem companies may encounter when addressing this stipulation is that they do not have a system in place that, one, knows exactly who the affected parties would be, and two, has the power to alert these parties in such a short amount of time.
Robust software solutions should be able to send automated notifications to the right people almost immediately after a breach occurs.
4. Can the organization prove GDPR compliance?
Those that fail to show they are taking steps to comply with the GDPR will face fines and liability for negligence. The GDPR creates two tiers of maximum fines. The higher fine threshold is four percent of an undertaking’s worldwide annual turnover or 20 million euros, whichever is higher. The lower fine threshold fine is two percent of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher.
Let’s say you are taking steps to comply with the GDPR and a breach occurs. Your organization will be able to avoid these fines if they can prove they’ve taken steps towards compliance by way of thorough reporting and documentation. If you have taken these steps, but cannot prove it, you will be held liable.
Many organizations find it difficult to prove compliance even when they’re taking the steps to achieve it. This may be because they do not have a system in place to keep track of the multitudes of moving parts involved in a large regulation like the GDPR. Or perhaps they are trying to document their progress, but do not have a way of consolidating the documentation.
Can your risk software provide you a full compliance readiness checklist? Ideally, your risk management platform should make it easy to build out a regulation report where each requirement of the GDPR is a line item, to which administrators can answer ‘yes,’ ‘no,’ or ‘N/A.’ This feature not only helps your business keep track of where they are achieving or lacking compliance, but it also assists you in building out comprehensive reports to show auditors and regulators.
The Key to Successful GDPR Compliance
Rob Coleman, CTO for UK&I at CA Technologies, said, “The key to getting ready in time for most large enterprises will be to create a cross-functional program of work containing representatives from legal, IT, HR and business units — this is not just an IT problem.”
Cross-functionality in risk management is intrinsic in an enterprise risk management approach. Achieving GDPR compliance can be overwhelming. But when businesses take an ERM approach, they can easily break down the process into segments that different individuals are accountable for. Step by step, as individuals complete their own tasks, these segments will be brought back together into a picture of compliance.
The GDPR is the biggest change to data privacy regulation in 20 years, it’s just around the corner, and it’s going to take a village. ERM is the only approach to risk management that considers the village while on the road to compliance.