General Data Protection Regulation
Data privacy is all the rage this week!
Lately we have been fielding a lot of calls about GDPR and its potential impact on companies here in the states. The short story is that GDPR will have an impact. As I explain below the immediate impact is for companies who serve clients in Europe, which is a broad range of companies, such as Google, various social media platforms, financial organizations and many others. But in the longer-term GDPR will affect all of us.
What is GDPR? General Data Protection Regulation or GDPR is a large scale regulatory directive passed by the EU Parliament in 2016. Once passed, there was a two-year grace period provided before enforcement of the regulation began. The two-year grace period has expired as of May 25, 2018 and the regulation is now enforced.
Organizations that fall under this regulation include, not only those located in the EU, but: “The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
Here is a great link if you’d like to read the complete regulation. To summarize, GDPR is a new standard for data privacy and personal data rights. In light of recent news, the subject of data privacy is at the forefront and ultimately people want greater care when it comes to their personal data. GDPR, attempts to solve this problem.
Without getting into all of the specifics, GDPR is focused on a few key principles.
Taking greater care when designing solutions for the collection and use of data.
Data collection with a purpose. If you collect it, make sure you use it.
Elimination of redundancy, stop asking for data that you already have.
Deliberate third party processing, who is processing what and for what reason.
Term of data records, how long do you store data and for what purpose.
Organizations, must have a more granular understanding of the data they collect. You must document and track the data lifecycle from collection point, to processing path to storage to data updating and ending with deletion.
Organizations of certain size must designate a data officer, smaller organizations do not have the requirement but must define who will be responsible to manage data in their organization.
Transparency and control
Companies are now responsible to be more transparent with the data process. The process must be communicated in easy to understand language that explains the purpose and use of all data collected.
Companies must also provide controls to the user to allow them to update, check on and delete data upon their request.
Limitations on sharing
Data sharing is greatly limited and requires explicit language that describes the purpose and the pathway for sharing such data.
Sharing or selling data will require prior approval and responsibility to acre for and update those records will persist.
Wherever data language exists, the language must be written in a clear and concise language that can be understood by non-lawyers and non-database engineers.
While much of this will feel like a burden, and many will not be directly impacted by the regulation, the concepts are important and timely. As I write this, Mark Zuckerburg is testifying before congress about data privacy. This issue is in the forefront of peoples mind and the fallout will be great. It remains unclear if new regulations will be put in place quickly under our current administration, I can assure you data privacy will be coming.
And given the uproar, and potential PR impact, I would suggest getting ahead of the game. Most of these practices are important. You should consider leading the charge to transform how you manage your client’s data.
What can you do?
First, let me say we are happy to help and have expertise in this area. But if you are looking for some ways to get started:
Build a data inventory
What do you collect?
Where do you collect the data?
How is data collected?
What purpose is the data collected for?
Where is the data processed?
Where is the data stored and for how long?
If a data record changes, how is it kept up to date?
Review your language, T’s & C’s and contracts
Are your data polices clear?
Are data terms spelled out?
Build a data team and policies
This can be outsourced or insourced.
Build processes for the complete data lifecycle and workflow.
Manage the change of those processes.
Field calls and requests.
Find a platform to govern and manage
We have a platform as do others.
This will be too complex to manage without a platform to support you.
There are deeper questions and more detailed steps to take but this is a good start. Even just taking some time to reflect on these will put your company steps ahead and going in the right direction for the future.