Organizations are struggling to comprehend the impact of GDPR. They are faced with a barrage of often misleading, inaccurate or incomplete commentary from across the industry. It is time for many to stop, breathe and think before focusing on what is arguably the most significant change to data privacy there has ever been.
GDPR is a lengthy piece of legislation. It took four years of debate and negotiation before the legislation was passed by the EU Parliament in April 2016. Legislators agreed a two-year period for organizations to prepare themselves. With less than two months to go, many organizations are only just beginning to get serious about their preparation. Authorities will have the power to impose fines of up to €20 million or 4% of global turnover (based on the previous financial year) for any breach of GDPR. By leaving it this late to prepare, organizations are taking a significant risk.
The impact of GDPR is not confined solely to companies based in Europe. Any organization dealing with the personal data of European citizens needs to conform to the legislation. It doesn't even need a European office. It might be buying mailing lists, selling to European citizens from overseas or collecting data into a contact management system. The key issue is that if it holds anything that is considered Personally Identifiable Information, it must conform to GDPR.
There are a number of sites where companies can find details on the legislation. One of these is the EU GDPR page. There is also a very good guide to understanding the principles that has been produced by the UK ICO.
What does this mean for a Professional Services Organization?
Professional Services Organizations (PSO) hold a lot of detailed data on staff and customers. While much of this is project related, it also includes items such as expenses, timesheets, job reviews and other personal data. GDPR has the potential to deliver a heavy administrative impact on the organization. This includes the requirement to revisit their processes and technologies around data storage and retention.
Much depends on the existing data protection measures in place at a company. Those with existing wide-ranging policies that are followed and reported on will find that GDPR is an extension of what they have. Most of the work will be in aligning what they have with what GDPR requires them to have.
The same is not true for organizations who cannot easily identify different classes of data, especially PII. They will face significant disruption as they overhaul their processes. This is likely to require external assistance from organizations with GDPR readiness planning skills.
What to do now
By now, organizations should have started and even completed an assessment. This is not just about what data they hold but where it is held and how it is protected.
There are five key elements to the assessment:
Locate and map personal data: This is challenging for many organizations. GDPR has significantly extended the scope of what is considered personal data. Data is not always stored in one system or even just in systems owned by the organization. Staff increasingly use their own personal cloud-based apps to do company work. This runs the risk of data being outside of corporate control. In addition, many organizations share data with partners and subsidiaries. Any data acquired or shared must be fully identified and trackable.
What is the capability to search for personal data: The more locations in which data is stored, the harder it is to search for it. This is why organizations need to crack down on where data is stored. It is also important that organizations review their data search tools and, if necessary, consider buying or building tools that will make it easier to search for anything that could be considered PII.
How to minimize the amount of data held: Companies that gather large amounts of personal data often do so without a clear plan of what they want to use it for. Policies should look to reduce and eliminate excess or spurious data. Where data is gathered and retained, it must be done securely. A good example of this is shopping sites. They want to store payment and delivery details to make shopping a one-touch business. This data must be kept secure and that means encrypted.
Ability to respond to requests for personal data: At present, a Subject Access Request allows an organization 45 days to respond and is something they can charge a small fee for. Under GDPR, that comes down to 30 days with no fee. The reasons why a timescale can be extended have also been reduced. This is why there should be considerable effort put in to the capability to search personal data.
How to purge data upon request: GDPR allows individuals to request their data be deleted from systems. There are exceptions to this, most of which are based on legal requirements on the business. Until GDPR goes live and test cases take place, it is difficult to know if GDPR will require changes to other legislation. Organizations should consider making deletion their first action with retention only acceptable if they can demonstrate a clear and defensible legal requirement.
There is an urgency to making an organization GDPR ready. Failure to do so can have business threatening consequences. For the vast majority of organizations, GDPR is simply a tightening and extension of their existing data protection policies. For others, GDPR poses a real threat to the existence of their business.
The very minimum required of all organizations that hold personal data are the five assessments listed above. If you can meet all of those steps, then you have the basis for addressing GDPR.