The following is a guest article from Arlo Gilbert, CEO and co-founder of Meta SaaS.
As the end of 2017 comes into view, organizations are suddenly realizing that they have less than a year to comply with one of the most sweeping privacy regulations we've seen in decades: the EU General Data Protection Regulation, or GDPR.
Hopefully GDPR is already on your radar. It's been relatively low-profile until recently here in the U.S., but as the deadline approaches fast, it has begun to rightfully enter more conversations. If you're not familiar with it, here's a quick breakdown:
- What is the GDPR? The General Data Protection Regulation is a set of new rules implemented by the EU designed to protect the personal data of EU citizens and hold organizations responsible for data security. It technically went into effect in 2016, but the deadline for compliance is May 25, 2018 – hence the current scramble to prepare.
- Who does it impact? Pretty much everyone – and not just if you have a physical presence in the EU. Organizations must abide by GDPR if they sell goods or services to EU citizens, operate a website that may be visited by EU citizens, employ any residents of the EU, or collect any data that may include information about EU citizens in any way.
- Why should we care? There's a good chance that your business falls into at least one of the buckets described above, and the penalties for non-compliance are significant to say the least. Breaching GDPR can result in fines of up to 4% of your annual global turnover or €20 million, whichever is higher.
Between the hefty fines, the weight and reach of the legislation, and the upcoming deadline, it's no wonder that IT teams are feeling the GDPR pressure. But addressing such massive regulation can be daunting. What are your immediate must-dos and how do you get started?
6 steps to a strong GDPR foundation
Before you make any significant changes to your teams or technology to address GDPR, start with clear visibility into what you need to do and why. This involves an in-depth look at both the regulation itself and where your organization currently stands in relation to it.
1. Evaluate your risk
One of the tricky things about GDPR is that while it definitively states that businesses must take technical measures to protect citizens' data, it doesn't specify what those measures must be. This is a blessing and a curse for most organizations. On the one hand, you have the freedom to comply as you see fit; on the other, there's no guarantee that your efforts will be adequate.
A good place to start is assessing your particular level of risk. If you run a primarily U.S.-based business but have a handful of EU residents signed up for your newsletter, you're in a very different position than if you have hundreds or thousands of EU-based customers or employees.
GDPR recognizes this distinction, and mandates that the degree of effort required to protect the data should reflect that data's level of risk. This doesn't let you off the hook if you only have marginal EU interactions, but should inform your strategy.
2. Identify the must-dos
Not every stipulation of GDPR will impact your business, but it does lay out a handful of rules that every organization must abide by. These include (but are not limited to):
- 72-hour breach notification. Under GDPR, you are required to notify customers within 72 hours of a security breach that is likely to "result in a risk for the rights and freedoms of individuals."
- Right to access and data portability. This gives people the right to learn whether, where and how personal data about them is being processed and to access that data free of charge in a consumable format. That means you need to be able to serve that data up on request.
- Right to be forgotten. One of the most hyped tenants of GDPR, the right to be forgotten entitles people to demand that their personal data be erased if it is no longer relevant to the original reason for its collection or if the "data subject" simply withdraws consent. This is important and also not as clear cut as it seems, as the regulation also "requires controllers to compare the subjects' rights to 'the public interest in the availability of the data' when considering such requests."
- Privacy by design. A big one for IT teams, privacy by design "calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition." In other words, any new systems that you implement must include built-in data protection measures, not just security solutions that you tack on after the fact.
3. Appoint a data protection officer
For some organizations, GDPR mandates that you appoint a data protection officer, or DPO.
This doesn't apply to every company and relates to how your business communicates with its local data processing authority, but is required if your "core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale."
Even if you don't fall into that category, a DPO is probably a good idea. You need a leader to spearhead your data protection efforts for GDPR compliance and beyond.
4. Get to know your data protection authority
While GDPR was born from the EU as a whole, and will certainly impact organizations far beyond the EU's borders, it relies on enforcement by local data protection authorities, or DPAs.
DPAs are complicated entities. Each participating country, or member state, has one or more of these authorities that are responsible for national and international compliance and enforcement, but must also maintain some level of independence from their local government. Further muddying the waters, organizations can choose which DPA they choose to follow.
For U.S. companies, this means that they need to understand the nuances of the DPA(s) for the specific countries in which they do business, and potentially "shop around" for the friendliest one. While most stipulations will likely be the same and all will be predicated on the overall GDPR, there will be differences that affect both compliance and the process when an affronted "data subject" approaches their local DPA with a violation.
5. Assess your current state
You can't tackle GDPR compliance without a clear idea of where you stand today. Examine your people, processes and technology with a GDPR lens. What data do you have? Where does it live? How do you access, manage, and secure it? What are your processes around preventing, remediating, and communicating breaches? Who owns which pieces of the puzzle within your organization?
These questions and this process shouldn't be completely unfamiliar. Much of the information about your current data protection processes and policies probably exists in your security and risk management departments and solutions.
Remember, however, to look outside security (how and where you store the data) and address how that data is used and by whom. This will likely require extending your audit more deeply than before into business departments like HR and marketing.
This internal audit is especially crucial for organizations that rely heavily on SaaS solutions. IT chronically underestimates its SaaS footprint.
Most CIOs think their organization only uses around 30 or 40 cloud applications while the reality is more like 928 for the average enterprise org. The difference is comprised of shadow IT; unused, underused or unmanaged licenses and subscriptions; and point product tools chugging away in some forgotten department. All of these rogue solutions must be accounted for to ensure GDPR compliance.
6. Focus on data governance
Now that you have a clearer picture of your data, get it organized.
Strong data governance is essential to a well-oiled IT machine for a whole host of reasons, but GDPR is now near the top of the list. The regulation mandates governance for certain types of data, like personal information, but compliance will likely require thoughtful data governance across the board.
Your current-state audit hopefully identified where your data lives, both in a structured format like the information in your databases and systems as well as the unstructured items floating around in spreadsheets, on backup tapes, and in all of those rogue SaaS tools we mentioned before (if it's sitting in Dropbox or Google Drive, it counts.)
Now you need to classify and control it. Your particular classifications and controls will depend on your business, but should include what it is, where it is, how it's used, who can use it, where and for how long it must be stored, and more.
Preparing for the enforcement of GDPR is a massive job, and one that is hopefully already underway at your organization.
It will eventually require new systems and processes – maybe new people, too – but should start by working with what you've got.
Dig into the regulation, figure out how it impacts your company, then get serious about your data. With that foundation, you'll be ready for whatever next steps prove necessary and set up for GDPR success.