A tactical 5-step model for achieving GDPR compliance
May 25th – the day that the General Data Protection Regulation goes into effect, forever impacting how companies manage personal data – is fast approaching. We already know that this regulation is arguably the most groundbreaking data privacy law to-date, going far beyond just the EU and affecting all companies that manage personal data about people residing in the EU – hence also being highly relevant for U.S.-based companies with an international presence.
It’s a now or never situation: business leaders must already have a plan in motion that ensures GDPR compliance. Yet, most companies are still fairly behind where they should be at the most foundational level – with one survey indicating that more than half of respondents say their organization is either “not concerned about GDPR or are unaware of its relevance for their business.”
For companies large and small, the road to GDPR compliance is a massive, complex undertaking. However, in order to move forward with any process, it’s imperative to understand what the regulation is at its core – having the ability to store and process personal data securely, responsibly and lawfully. As a byproduct, it also provides the opportunity to reduce data processing costs and improve data analytics.
GDPR compliance can be boiled down into a strategic five-step process that allows businesses to complete the shift tactfully. By breaking the end-to-end data lifecycle down into five stages within an enterprise application, it makes it possible to manage the data, systems and processes requiring change in a logical manner.
Let’s dive into the specifics of this model.
1. Data collection
To begin, all existing personal data (PD) must be identified, and the systems and processes surrounding that data must be logged for review and possible change. During this time, some PD may be deemed unnecessary and deleted; the remaining PD must be flagged as needing additional permission from the user.
2. Data storage
Next, look at the systems used to store PD. These must be updated to include several factors, including fields which relate to the ‘purpose’ for holding the data, legal grounds for processing, processing dates, and actions which could (and in some cases, could not) be performed.
It is vital that any data stored should be protected by GDPR compliant protocols for general data security aspects including access control, storage security and data backup, as it is imperative that these are sufficient for the purposes of GDPR compliance.
3. Data recall
Businesses must be prepared to provide detailed reports to any individuals whose data lives in the system, upon their request. This includes rationale behind why the data is being held, where it’s being used and how much storage time is left on each item.
Designing and writing these reports is not the complex part; rather, the challenge is ensuring all personal data is stored and tagged correctly. Getting this right requires a critical look at the company’s data collection and storage processes.
4. Data maintenance
It’s critical that data maintenance processes are considered for all individuals who have data within the system, in order to maintain their records. A way to ensure this is to allow internal subjects to update their data on their own using self service, and for updated processes to allow external subjects the ability to have their data updated.
5. Data processing
Data should be processed in accordance with the legal grounds set out in the GDPR, and in compliance with the wishes of the data owner.
Ensuring data collected is only used for the purposes given requires changes to processes that involve accessing data prior to taking an action, such as e-mailing or calling a data subject. This requires extra data about allowable actions to be collected and stored which ensures automated processes only pick up compliant data for complaint actions.
Assembling documentation is one of the most significant challenges for organizations’ GDPR compliance. Also of significance, and a change from previous data protection legislation, is the inclusion of the right of the data subject to withdraw their consent and furthermore have their personal information removed (known as the “right to be forgotten”). Under this provision, individuals are allowed to request the removal of their personal data when there is no compelling justification for its continued processing by a company. Therefore, these processes must be adjusted to record consent from the user for processing, or one of the other lawful grounds for processing.
Reaching the end goal
To lead the charge, major Silicon Valley giants are working to ensure all GDPR-compliance steps are as transparent as possible for users. For instance, Google created a privacy dashboard to help show what PD is held, Microsoft implemented a new data collection viewer for Windows 10 that holds a similar purpose, and Facebook announced a new privacy center that holds all core privacy settings in one place to help keep these processes transparent.
Regardless of size, all enterprises need to implement a noticeable shift, fundamentally understanding the role of their organization with respect to data controller and/or data processor responsibilities in order to ensure they’re going about compliance correctly.
With refreshed processes, clean data and lower volumes, data processing costs are reduced, and data analytics are more effective. Once May 25 rolls around and compliance is achieved, businesses can expect data volumes to be reduced considerably, while data quality rises and becomes more manageable to utilize and maintain.