When It Comes to GDPR Preparation, 21% of IT Professionals Say "We Have No Idea What We're Doing"
December 7, 2017
5 minute read
Pseudonymisation? Binding corporate rules? Data portability? Trilogues?
Understandably, there’s a lot of confusion around GDPR (it’s been called “a beautifully vague document full of inane blither“). That’s why we hosted a webinar this week called GDPR Compliance: “Explain Like I’m Five” with Data Privacy Expert. It ended up being our most popular webinar by far.
With GDPR’s implementation date (May 25, 2018) looming on the horizon, we wanted to simplify the regulation’s dense, vague, complex legalese and break it down into easy-to-understand concepts.
So we turned to Jodi Daniels, a data privacy expert and former SVP of enterprise privacy compliance at Bank of America, to help explain things. She is the founder of Red Clover Advisors, a data privacy consultancy that assists companies with GDPR compliance and other privacy topics.
The webinar covered all the major GDPR concepts and explained exactly what IT needs to do to become compliant. It also included a few poll questions that yielded some interesting data.
If you missed our webinar, no worries. Here’s a recap.
Everyone will have a hand in defining GDPR compliance strategy…
We kicked off the webinar by asking a poll question:
For about a third (36%) of our respondents, IT is leading the charge for creating a compliance strategy. But the majority (half) said it will be a cross-functional effort across the entire organization.
But the blame will likely fall on IT for any violations.
Our follow-up question was:
The results weren’t surprising. While multiple teams will be involved in defining a compliance strategy, almost half (49%) of our audience felt that only IT would shoulder the blame for any GDPR violations.
GDPR doesn’t just affect the EU.
Many people assume that if their office is located in the US (and they don’t have an office in the EU), then GDPR doesn’t apply to them. This assumption, however, is false.
If you collect data from an EU resident, regardless of where your office is located, then GDPR applies to you.
Personal data under GDPR is much broader.
You’re probably familiar with personally identifiable information (PII), but GDPR uses the phrase “personal data.” This includes data like your name, email address, phone number, and date of birth, but it’s broader than that. It also includes things like online identifiers (e.g., cookies, tags, pixels, IP address) and GPS location data. It includes sensitive data as well, like religious, ethnic, political, genetic, biometric, and sexual orientation data. GDPR really broadens the scope of personal data.
Bottom line: You need to understand what data you’re collecting and how you’re using it.
(And if you violate GDPR, there are stiff monetary fines—up to €20 million or 2-4% of annual global turnover, whichever is higher.)
GDPR introduces new privacy rights for individuals.
GDPR introduces a few new privacy rights for individuals, like the right to be forgotten. This means a person can request for their data to be deleted. To be able to delete someone’s data, you have to know (as a company) where and what that data is, and what your internal process is to execute that request. Sometimes there are exceptions to this rule and data can’t be deleted (e.g., for legal reasons).
There’s also the right to data portability, which means that someone can request that their data be moved (i.e., exported). This only applies to automated data (so it wouldn’t apply to, say, a stack of paper). Think: media lists, order history, transactional information. It has to be in a machine-readable format (like a CSV or Excel file); it can’t be in some gobbledygook format.
Data breaches must be reported within 72 hours.
Not every incident will be considered a data breach. But if it does meet the definition of one, then you must report it within 72 hours (and that countdown includes holidays and weekends!).
GDPR is all about transparency.
Privacy notices must be written in plain language—something that anybody can understand. It’s important for a customer to know what companies are going to do with their data, how they’ll share it, use it, etc. This is where IT and marketing teams must work together. You must review your privacy notice and ensure that it reflects all new product changes.
Minimize your data exposure.
GDPR is about minimization: Only collect, share, and keep the data that you absolutely need to. GDPR is designed to ensure that companies will minimize any risk to the rights and freedoms of data subjects. Some companies may need to appoint a Data Protection Officer (more on that here).
21% of IT professionals say they have no idea what they’re doing when it comes to GDPR preparation.
Our last poll question of the webinar was:
Only 5% of our audience said they were fully prepared to comply with GDPR, while 21% of respondents admitted that they have no idea what they’re doing. About a third of the audience (32%) said that conducting a readiness assessment was where they needed the most help.
The path to GDPR compliance: 10 action steps IT can take today
- Assign a dedicated individual (or team) to focus on GDPR.
- Start listing all the systems that house data. Make a laundry list. One of the requirements of GDPR is to provide documentation to authorities (if requested) of all the processing activity that you’re doing. This could look something like, “In System A, we collect these three data elements, we share it with these three companies, we keep it for this long, and Sally and Jimmy have access to it.” You need to know what systems you have, what data you have in them, and what you’re using the data for.
- Determine if you’re a data controller or a data processor.
- Understand the transfer of data between you and a third party. Maybe that third party is a data processor, vendor, marketing company, etc.
- Document the personal data that is collected in each system.
- Determine if automated data can be deleted (the right to be forgotten).
- Determine if automated data can be ported (the right to data portability).
- Make sure you have proof of consent. Can you document and provide evidence that a user opted in to marketing programs? In the GDPR world, consent is an opt-in model. This is the opposite of how the US operates (usually it’s opt-out).
- Review security controls and determine what gaps exist. While you’re doing data inventory, ask yourself, “How is this data protected? Who has access to it?” You’ll be able to start identifying security gaps and creating remediation plans.
- Review your data breach plan. You need to be able to report breaches in 72 hours.