Now that the EU General Data Protection Regulation (GDPR) is in force, more people are asking us about the new law and how it affects US-based businesses. When we ask about the status of their compliance efforts, we hear a variety of responses, including
“We don’t have any EU employees, so we are pretty sure it doesn’t apply to us.”
“Our legal team is on top of it.”
Here’s another response we’ve been hearing lately:
“Our security and compliance teams are on board, and they are comfortable that we will be fine.”
These companies think they’re doing everything needed to achieve GDPR compliance, when in reality they may have just scratched the surface. Do a Google search on “GDPR Compliance” and you’ll find numerous links to high-level blog posts and white papers, along with some product promotions, but much less material that will help you understand the details of what the regulation requires you to do from a technology standpoint. GDPR has many requirements for what IT systems must be able to do, but does not provide guidance as to how. The only two technologies referenced in the GDPR are encryption and pseudonymisation.
Start with “how” and “why”
Knowing what personal data you have and where it resides is a potential first step in complying with GDPR, and the right tools can help you make substantial progress in that area. However, extensive manual effort will still be needed. To complicate matters further, your data is a moving target, always evolving as your company operates its core business.
Most companies do not have the resources or budget to perform a full data inventory. A different way to tackle this problem is to focus on your data processing activities, including how you are processing personal data and why (what your business reason is for processing that data). Using processing activities as a starting point allows you to think in terms of how your business works rather than trying to focus strictly on the data elements.
Once you have a list of your data processing activities, then it will be much easier to describe and categorize:
- Your data subjects
- The personal data that you are processing
- The recipients of this data
- Your retention limits
- How you are securing this data
Move forward with “what”
Once you have a thorough understanding of how and why you are processing personal data, then you can dig deeper into the “what”: the systems that process the data. GDPR requires that you be able to execute specific tasks and to “prove” that you executed them in a compliant and timely manner.
Take, for example, the right to be forgotten. If a customer tells you to erase all her personal data, it’s not enough to know that that data resides in your CRM, sales, shipping, customer service, accounts receivable, and a host of other systems. You’ll need to leverage the data processing information we discussed above to understand exactly what happens when you delete the data from one system. Are your data models relational throughout the organization? Does deletion of a record in one system propagate through other internal and third-party systems? Do you even have the ability to erase this data?
Another example is the requirement around data access: GDPR gives EU data subjects the right to request access to their personal data and to make edits or corrections. If a customer requests access, you must have a process in place for providing the applicable data and for processing any requested changes in all applicable systems, including data being stored and processed by third parties.
Automated or manual?
So, you must need an automated solution for handling those requests, right? Not necessarily. The GDPR doesn’t demand that you automate these processes; it just requires that you be able to execute them. If your database of EU residents is relatively small and you don’t anticipate these requirements coming up frequently, a manual process might be the most cost-effective way of meeting your obligation. However, even if you plan to handle portability, consent, and erasures manually, you still need to track how you are processing this data, why you are processing it, and where it goes, since you will need to provide an audit trail showing that you have handled these areas correctly.
If, on the other hand, you have a high volume of EU resident data in your database, manual processes can quickly become time-consuming and cost-prohibitive. An automated process requires systems to work together, including systems that may not be designed to deal with these types of requests. Most marketing platforms, for example, are capable of processing the giving and withdrawing of consent to use data for specific purposes, but other systems, such as your CRM, ERP, and HRIS platforms, typically are not. A GDPR readiness project that involves this level of complexity typically requires the services of a partner with specialized expertise in data management, enterprise architecture, and compliance.
How the right partner can help
When it comes to your company’s readiness for the EU General Data Protection Regulation, relying on what you think you know or what you’ve heard from product vendors may not get you where you need to be. Partner with an expert who understands the regulation and who has the expertise in data, architecture, and compliance needed to help you get ready.
Like what you see?
Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, and other national and international organizations.