With the deadline for GDPR compliance rapidly approaching, many organizations are facing a number of GDPR questions. In this post, we’ll answer 8 common GDPR questions that we hear from customers and prospects.
1. What is GDPR and why we should care?
GDPR, or officially, the General Data Protection Regulation 2016/679 will come into force on May 25, 2018. This means officially, we have about 15 months to comply with it. And everyone is now working to put their regulations in place and make sure they follow through, whether by installing tools that allow metadata and information to be linked back to policies, trusted source of data, data usage, sharing agreements, and more.
The primary difference between the GDPR and the prior data protection laws is the timing. As we enter the fourth industrial revolution with the digital age with data as the new oil, a company working with – or within – the EU region will need to comply. Before the rise of Facebook, the Internet, and Google, customer data privacy and protection did not include scopes of such digital assets. Now the new regulations of GDPR have an expansive scope.
2. With the BREXIT in sight, will I still need to comply?
The simple answer is YES. According to this C Suite article, the UK government has agreed to comply to the EU GDPR regulation not withstanding the UK’s decision to leave EU.
Any business that enters and processes the personal data of EU citizens, or monitors their online and offline usage and behavior knowingly or unknowingly, or who may have any staff operating in the EU region, will have to comply with the GDPR. The scope of GDPR actually reaches even beyond the borders. So even if you are facing BREXIT and will eventually need to work with any EU-zone company, you will need to take this GDPR compliance into account.
3. What are my obligations?
GDPR applies to all EU citizens and widens the definition of “personal data.” Business will need to define the scope of IT implementations in this case. Any data that can be used to identify a person is now falling under personal data. And this includes data items like “genes,” “prior health records,” “economic and financial information,” “social and online information,” and more.
4. What roles should I hire?
The Data Protection Officer is mandatory appointment and position for all companies that collect EU user-related personal information, along with other roles. This role will be appointed when a company has “regular and systematic monitoring of data subjects on a large scale” or has some activity of “processing on a large scale of special categories of data.” It’s important to consider this requirement as part of your new organizational structure going forward. Assigning roles and responsibilities to your existing GDPR data to be accountable is key. Be ready for changes in your organization (see below).
5. What can I do to re-assess my internal policies and landscape?
Review your PII and privacy policies at regular intervals. This can be an initiative from the data protection office or from the CDO directly. Start documenting things like how you ensure that your policies cover how you handle data upon situations like death or request of deletion. In addition, you should start initiatives to put systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. For example, data sharing agreements are inherent to Collibra and can be put in place to assess the process of accessing and sharing data. Documenting these internal changes, assessing that the right data is stored, documented, and shared and is adhering to the compliance is crucial in this case. GDPR has a lot to do with not only putting the right systems in place for privacy, but also the documentation and capture of these data processes. Your data controllers must be able to demonstrate that users have given you their consent on their data.
6. Are my tools compliant?
The answer might be no. For example, think about Dropbox. Even though it is a US company, more than 70% of its users are coming from outside of US. The tools you are using to store and process data will also need to comply with the GDPR. And processing and maintaining this and validating the data lifecycle through these systems of use, systems of record, and systems of process require extensive governance.
7. How can I be ready for changes?
In December 2016, a draft of the new European ePrivacy rules was leaked. It contained a number of interesting insights in the ways the EU will regulate privacy in electronic networks which will complement and supplement the GDPR. The EU or any other country may enforce local and international or regional compliance at any point of time. And it is important to maintain these historic changes of how user data is stored, handled, transferred, or processed in a centrally-accessible platform. And this is where the Collibra platform comes into play. With its dedicated Policy Manager and Data Helpdesk capabilities, users can maintain changes and raise concerns when data or metadata governance indicates that GDPR compliance has failed in certain records or systems.
8. What about Privacy Impact Assessment (PIA) ?
GDPR requires companies to do a privacy impact assessment for the information they collect. This also requires a platform like Collibra where all metadata can be linked back and traced back to the systems, users, and related policies. Any new systems on-boarded will need to go through a GDPR compliance check and thereafter, companies should be ready to do a PIA on their systems where the assessment should identify:
- Information compliance with privacy-related legal and regulatory compliance requirements
- Risks of collecting, processing, and sharing personal information
- Protections and processes for handling information to alleviate any potential privacy risks.
- Noted and regulated options for users to opt in or out of consent
It is essential to start planning your approach to GDPR compliance as early as you can and to gain ‘buy in’ from key people in your organization. You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large or complex business, this could have significant budgetary, IT, personnel, governance, and communications implications.
There is no escaping GDPR if you truly want to be a data-driven organization. It is essential to get answers to your GDPR questions and start planning your approach to GDPR compliance in order to avoid fines and get the right buy-ins from your stakeholders.
The deadline is rapidly approaching. Don’t wait to plan your approach to GDPR compliance.