This post originally appeared on the Ebsta Blog - see original post.
If you attended Dreamforce this year, you probably noticed that the European Union’s (EU) General Data Protection Regulation (GDPR) was a big theme. There were several breakout sessions and presentations happening all over the Dreamforce campus that were focused specifically on GDPR compliance. If you didn’t notice and actively target customers that are EU citizens or residents, then I advise you start paying attention now! So let’s recap the discussions about the prioritization, breakdown, and preparation of the GDPR.
The EU's GDPR is a Priority
What I found most surprising at this event is just how many US companies are prioritizingthe GDPR. During a breakout session at Dreamforce, Michael Spadea of PwC shared that 98% of large US, UK, and Japanese companies (defined as greater than $500m in revenue) indicate GDPR as either a top priority (56%) or one of the top priorities (42%). Additionally, these companies are putting significant financial capital behind this priority. According to a survey of companies by PwC “60% said they plan to spend at least $1 million on GDPR preparation projects and 12% plan to spend more than $10 million.”
If these business have customers in the EU, they must comply with the GDPR or face fines of up to 4% of global turnover or 20 million euros, whichever is greater. However, the reason for pushing the prioritization and promotion of readiness for the GDPR is because it is an advantage that will help these companies beat their competition. A report by McAfee shows that 74% of business decision makers agree that data protection is used to attract new customers. Have you heard the saying: “the early bird get the worm”? In this case it will be true come May 2018 when the GDPR will be enforced by regulators.
It’s not just US companies that are making progress preparing for the GDPR, but they are certainly ahead of UK and Japan based companies. The same PwC surveyed revealed that 22% of US companies are fully ready for the GDPR, compared to just 8% of UK companies and 2% of Japanese companies. Even so, Forrester Research predicts that 80% of firms will be unable to fully comply with the regulation by May 2018; half of which will be intentional and the other half unintentional given the costs and risks.
So, what can companies do to prepare for the GDPR? First let’s break it down.
GDPR Overview: Breakdown
The reason many companies are taking their data strategy further than mere compliance for the GDPR is because consumers want this kind of protection. Therefore, showing customers that the GDPR is a priority shows a concern about them and their best interests. This is in line with the nature and purpose of the GDPR, which is to provide security, accountability, and respect of an individual’s rights for their personal data that brands use everyday to build relationships with customers.
Preventing unauthorized access to personally identifiable information (PII) is already a major concern for businesses, but the GDPR takes that to the next level by reforming existing legislation. The GDPR covers all personal data: any information relating to an identified or identifiable natural person. This includes direct identifiers (name, contact details, ID number, and location data), online identifiers (IP address, cookies, RFID tags), and indirect identifiers (physical, physiological, genetic, mental, economic, cultural, and social identity).
Any company that is processing or profiling data of EU citizens and residents will be subject to the GDPR. Processing data basically means any activity with a data subject’s personal data. Profiling data is any structured data set of personal data which are accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.
This alone can cause a lot of stress for employees as there are many aspects of security to think about. There is risk management for potential data breaches, third party risk management when outsourcing data processing, appropriate language in documentation, vulnerabilities with the automation for data subject rights, and an increase in regulators that will be checking up on companies. These risk factors are heightened, but are not really that new. The most significant change that comes with this new regulation is the accountability piece.
Both data processors and data controllers will need to be transparent and take ownership of their data protection policies. There are requirements to have audit trails of when data is collected and how it is used. Each time data is collected, companies must inform the data subject in a timely manner. If the data is from a direct source, making the data subject aware is required at the time the data is collected. If the data is from a third party source, then a company must alert the person within a reasonable of time after obtaining the data (about one month depending on the nature of the data).
In addition to awareness, each data controller and processor must have consent from the data subject. Article 6 in the GDPR lays out the lawfulness of possession of personal data, which covers:
- Vital interests
- Legal obligation
- A public task
- Legitimate interest
The first five are straightforward, but legitimate interest requires further examination in order to interpret it accurately. Stephan Garcia of GDPRSuperheroes defines it as making use of data in a beneficial way for the controller as well as the data subject. The Information Accountability Foundation put together a framework for assessing ethical legitimate interest in relation to data processing. It outlines five core values to consider:
- Progressive, Necessary and Proportional
- Respectful of Obligations
- Fair – Reasonable Expectations of the Data Subject
Data Protection Rights for Individuals
The final (but most certainly not least important!) purpose of the GDPR is to preserve individual privacy while delivering products and services. Under the GDPR, EU residents and citizens will have the following rights:
- Right of Access
- Right to rectification
- Right to restriction of processing
- Right to data portability
- Right to erasure ( right to be forgotten)
- Right to object to processing
- Right to be informed
When it comes to the right to be informed, the individual has the right to ‘fair processing information’, typically given through a privacy notice. However, the privacy notice must include the identity of data controller, the identity of the representative if the controller has nominated one, and the purpose(s) for which data are intended to be processed.
Now that we’ve covered a high-level overview of the GDPR, let’s take a look at how you can prepare.
Preparing for GDPR Compliance
During a breakout session about the GDPR at Dreamforce 2017, PwC shared it had identified ten major work streams in the GDPR adoption process, but just under half of their clients have completed preparation for the GDPR on four of the largest work stream areas: data processor accountability, privacy by design, cross-border data strategy, and data lifecycle management.
Assuming you want to be one of the companies that wants to intentionally comply with the GDPR, there are several actions you need to take to get ready. Depending on your company’s size and the volume of data processed, there are some legal requirements such appointing a Data Protection Officer (DPO). You also will need to be aligned with your data processors. For example, if you use Salesforce you can sign their GDPR addendum, which as a data processor is Salesforce’s agreement with data controllers (their customers).
There are plenty of organizations consulting on GDPR readiness and a lot of documentation to help you with compliance. It’s even a best practice to complete a Data Protection Impact Assessments (DPIA). However, the most overlooked part of the GDPR is the “right to be forgotten clause”, which gives the potential for consumer advocate groups to use it to exploit companies’ resources and damage their brands. Thus, it is imperative that you get your front office systems ready by focusing on your high risk data sources.
It doesn’t matter if your employees work in sales, service, or marketing; you must get your data under control, understand what you have, give users in each department access only to what they have the rights to use, and get the tools needed to service data moving forward. With the ability to control an individual’s data comes great responsibility. The following limitations apply to the ability for your organization to collect, store, and use personal data:
- Purpose limitations – must have a specific, explicit, and legitimate purpose
- Storage limitation – must keep data in state where your organization can identify when it is no longer necessary to store
- Data minimization – process of only collecting data that is relevant for a specific purpose
- Accuracy – must be kept up to date
- Right to erasure (right to be forgotten)
Top notch data management platforms will allow you to record all transactions to ensure you can understand where and when records have come from and provide tools to users to maintain the data integrity of those records within the CRM. Firstly, you need to ensure that the data you have is under control and up-to-date. We all know that sales reps are not great at keeping up with their CRM system, like Salesforce, and rely on their email inbox for the latest contact details.
Once you have your data under control you need to understand the different types of data you have and the rights you have over it and understand if you are able to retain and use it. Data subject access requests when received need to be quickly and efficiently handled and, if their right to be forgotten is invoked, it is critical that the information is removed from the mailboxes and calendars where it resides so it cannot be reused, causing a data protection breach.
Looking at data privacy and consumer rights holistically, there are a number of data privacy regulations across the globe to pay attention to such as the EU’s ePrivacy Regulation & Directive on Security of Network & Information Systems (NIS), US Health Insurance Portability and Accountability (HIPAA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and Japan’s Act on the Protection of Personal Information. Needless to say, we are in a new age and one that will protect individuals and their data.
Overwhelmed yet? Don’t worry! We’ve developed new tools to enable GDPR compliance. Book a GDPR demo today to see them in action!