The General Data Protection Regulation (GDPR) is one of the most robust individual privacy rights frameworks enacted to date. The regulation contains 99 articles, but it is a handful of those that have upended the traditional privacy paradigm.
Those paradigm-shifting components include:
- The Data Protection Officer (DPO) mandate
- A broader-than-ever-before view on individual rights
- An actually clear opt-in requirement
- A breach disclosure mandate
To support these new responsibilities, most enterprises will have to automate their privacy rights management processes.
The Data Protection Officer (DPO)
Like any change initiative, the first step is to create a sense of urgency. The possibilities of large fines and a concrete launch date should hopefully achieve that. The next step is to identify a “champion” to lead the change. GDPR guidelines actually impose the need for a Data Protection Officer who is responsible for regulatory compliance and reports to the President or CEO. This responsibility can no longer be delegated to a mid-level manager within the IT or data science departments who the CEO can claim was not aware of any shortcomings around data governance. As of May 25th, it is clearly explained that responsibility lies within the C-suite.
It should be noted that the DPO role can be filled by an outside entity. Since qualified DPOs tend to be both expensive and difficult to find, fractional DPOs and DPO-as-a-Service offerings from professional services companies may be a more viable alternative.
Here are some of the main responsibilities of the DPO, as outlined by ITGovernance.co.uk:
- Inform and advise the organization and its employees of their data protection obligations under the GDPR
- Monitor the organization’s compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits.
- Advise on the necessity of data protection impact assessments (DPIAs), the manner of their implementation, and outcomes.
- Serve as the contact point to the data protection authorities for all data protection issues, including data breach reporting.
- Serve as the contact point for individuals (data subjects) on privacy matters, including subject access requests.
The DPO’s success in achieving these objectives will require support from all levels and functions within the organization, presenting a major opportunity to develop a unification process that transcends silos and builds company-wide efficiencies. This, in turn, could be viewed as one of the first competitive advantages that will be discussed in the next section. It is also important to note that technological solutions exist to support these compliance initiatives.
Data subject rights
The most complex requirement in this new regulation is likely Article 17, the data subject’s rights, which include the rights to opt-out of processing, view data and understand its use, and to be forgotten (or contest or move data).
At the center of the GDPR is the data subject’s right to have visibility into the data any company has tracked or processed for them, as well as how that data is being used by the company. For smaller companies with a single data source like a CRM, this is simpler to address. It may involve development to expose that data to an individual in a way that ensures the person’s identity can be validated, the interaction is time-stamped and that these items are demonstrable to third-party auditors and regulators at a later date. For larger companies with multiple data repositories, however, this requirement can be more challenging. Most companies have at least four different data sources, between CRM, ERP, billing, analytics, human resources, applicant tracking, e-commerce, ticket management, help desk, and websites.
While many companies may be able to handle responding to a few requests manually each month, processing hundreds or even thousands can quickly become overburdening, particularly since the regulation mandates compliance with a request within one month. In these situations, companies will need to investigate solutions for centralizing data and automating the processing of subject access requests and associated individual rights.
In addition to better visibility, under the GDPR the data subject gains new powers over what can be done with their data. This includes the right to be forgotten and to contest or move data. The right to be forgotten, for example, allows a data subject to request that certain data be deleted, which can include a single data point such as their email address or a particular transaction, or the user’s entire data record with a company. From a business standpoint, keep in mind that “forgetting” a data subject does not necessarily mean deleting the record, but in many cases, it involves anonymizing it. Anonymizing effectively removes the data subject’s association with a particular transaction, for example, which your business may have a legitimate reason to retain a transaction for proper billing records.
Deleting or anonymizing the data is the easy part, however. Knowing where all the data points are located, and then proving that they have all been deleted, is exponentially more challenging. This is accentuated by the fact that many organizations are unaware of all the past and present data collecting initiatives that various internal departments may have in place. An example of such an initiative might be a special “shadow IT” project whose existence may only be known to a handful of employees. These often circumvent the more formal IT approval processes in favor of speed to market, and are therefore often developed without the full knowledge of the IT department. For instance, a marketing department seeking real-time consumer data might create its own solutions to measure and track customers in its stores. These often run outside of existing IT networks.
Companies must also be aware of—and are somewhat responsible for—their vendors, partners, and third-party software platforms, many of which may be serving as data processors for customer information. Ultimately companies and their vendors share in the GDPR compliance duties, but this does not eliminate an organization’s responsibility to ensure those data subjects’ rights are properly managed across the data supply chain.
It is also important to note that data subjects’ protection rights are not solely applicable to customers. As David Dadoun, Head of global shoe retailer Aldo Group’s Business Intelligence and Data Governance organization, shared: “...sensitive HR employee data must also be treated with the same care. There is obviously fiscally regulated data such as income tax reporting and the like that cannot be deleted upon request, but otherwise, employees benefit from many of the data subject privileges as consumers.”
When it comes to terms and conditions, consumers click “accept” almost daily while rarely taking the time to read the multiple pages of small print detailing what it is they are accepting. The new regulations demand that the portions of data being collected and the reason behind the collection be written in “clear terms.” The GDPR also requires that the option to opt out of communication or processing be just as clear and easy as opting in.
Many data breaches go for weeks, months, or even years before being disclosed. According to a Bitdefender report, the average breach runs over 37.9 days before detection or reporting. Within Article 33 of GDPR, disclosure of a “material breach” to all stakeholders must occur within 72 hours of occurrence - not discovery. This will force organizations to pay much closer attention to breach signals or risk large fines for non-compliance.
Fines that have real impacts on the company’s bottom line are intended to instill a heightened sense of urgency and overcome “Breach Fatigue.” It seems consumers are becoming so accustomed to data breaches that what used to be outrage (e.g., Target 2013 breach) has almost fizzled to indifference. Going forward, when an EU data subject’s personal and sensitive data is compromised, apathy should no longer be the typical response.
Compliance with the GDPR will not guarantee a full stop to breaches, particularly as technologies both for attacking and defending databases continue to advance. However, it should greatly boost a company’s motivation to respond to breaches in a quick, effective manner.
Though not explicitly a requirement of the GDPR, the practical effect of all these new elements is the sheer scale at which data discovery, data monitoring, breach management and Subject Access Requests will affect each business. As Chris Babel, CEO of TrustArc said, "The GDPR is driving a fundamental shift in how companies manage privacy. In addition to requiring the development of new processes, companies need to operationalize their program in order to efficiently manage compliance on an ongoing basis. The only way to do this at scale is by using technology to automate the process versus just relying on hiring more people."
For many companies, May 25, 2018 marked the end of the “assessment period” and the beginning of the “operationalizing period” within which platform adoption will likely take center stage.