Compliance officers are hearing more and more chatter these days about the European Union’s impending new General Data Protection Regulation, coming into effect in May 2018.
Rightly so. The GDPR is likely to be a transformative experience for many businesses dealing with personal data.
For all practical purposes, the GDPR’s reach is global. The potential penalties for noncompliance are enormous. The procedural challenges to achieve compliance are huge. And the appetite for tough enforcement of the GDPR is high among regulators and the public alike, because of one simple fact: companies keep screwing up data privacy.
Why is GDPR compliance so daunting? Because it’s about more than data privacy alone. “Compliance” with the GDPR is really about empowering your customers to exercise a set of rights the European Union grants to its citizens.
Those rights allow EU citizens to control information about them on an ongoing basis. For example, not only must a company obtain consent before it collects personal data about a customer; it must allow that customer to revoke consent whenever the customer likes. Customers also have the right to see information collected about them; that implies some process to grant access. They have the right to specify where data collected about them is stored; that requires visibility into your data storage practices.
And, yes, you still need to keep all personal data secure; and meet daunting breach disclosure requirements when (not if) customers’ personal data is stolen somehow.
From GDPR Rights to Privacy Processes
If upholding those rights is the goal, then the first step toward compliance is analyzing your business processes to see how those processes do—or don’t—achieve those rights.
Ideally, your organization has already begun that assessment. It’s also crucial to ask: are we involving the right people within our enterprise, so that assessment is useful? And are we asking the right questions?
For example, your chief information security officer should certainly be involved in assessing data storage risks. But if your company has easy processes to let employees store data online (collecting the birthdates of clients’ children, for example, and tucking them away in a customer relationship management application)—then you might need to involve the head of sales. That person knows how the business process truly happens; you and the CISO know where the compliance risks within that process are.
The challenge for compliance officers is to repeat that cycle again and again, working your way through all processes that might somehow intersect with consumer data collected in your extended enterprise.
In a certain sense, GDPR compliance is similar to Sarbanes-Oxley compliance of the mid-2000s. SOX forced companies to reconsider how they handle financial data, to ensure financial statements are reliable. The GDPR will force you to reconsider how you handle customer data, to ensure security and consumer control are upheld.
It will be a sweeping exercise, intended to make companies consider “privacy by design”—that is, how to govern privacy risks in every step of every process, and impose appropriate controls given the risks.
And you have little more than six months left to do it. So like we said at the start, expect lots more discussion to come.