Strategies to Ensure Compliance as Deadline Approaches
Whether your company is already operating in the European Union or has expansion plans there in the future, the upcoming GDPR rules will have a profound impact on how all organizations handle, manage and use consumer data. Even if your website simply collects data on EU citizens, you must comply or face fines of up to €20 million or 4 percent of global annual turnover. Companies will face five common challenges on the path to compliance.
Though the GDPR implementation date is less than one year away, companies large and small are still struggling to comprehend what must be done to prepare. The General Data Protection Regulation (GDPR) seeks to improve privacy protection for consumers by changing the way businesses collect, use and transfer personal data. Companies purposely were given plenty of warning about the changing policies, but the vague language and complex structural changes mean a complete overhaul to anything remotely related to data in all companies – even for companies outside of the European Union and United Kingdom that do business with the U.K. and EU member states.
There are five main challenges companies need to address immediately in regard to data.
- Data Storage and Access
- Team Compliance and Training
- Data Subject Requests
- Data Notifications
- Adaptability and Scalability
GDPR does not only affect IT departments; instead, this new regulation reaches far and wide, from human resources to finance and anyone in between who touches data. Companies that address these five challenges will be more ready to face the GDPR’s implementation deadline of May 25, 2018.
Data Storage and Access
Companies that store data in one place may have an easier time with this first step. Businesses need first to assess where data is stored and who has access to what data. Companies need to audit all data sources to look at what data is collected, how it’s used, who can use it and for how long. Thankfully, there are tools to help organisations centralise data from multiple sources and monitor its use. Companies that do not use a platform should consider investing in one in order to ensure they know where all data lives and who sees what.
Team Compliance and Training
All teams need to understand the changes and regulations of GDPR and how it applies to their daily work. This means much more collaboration between teams that must be done quickly. GDPR is making data usage more transparent for consumers, which means customer service representatives will need to know what information they can divulge, what they cannot and what constitutes noncompliance. Ideally, the customer service representative will not have to ask the IT or data team each time they receive a request; instead, companies should train individuals to be able to quickly and correctly answer questions. The customer service team will need to have close communication with legal, finance and HR teams as well, to update them on any developments or problems. Companies that begin to define this process now will have a smooth transition upon GDPR implementation.
Data Subject Requests
“Data subject rights” is one of the biggest changes and challenges of GDPR. Under the new regulation, data subjects have the right to obtain:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data is not collected from the data subject, any available information as to its source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Businesses have no idea how many requests they will receive, but they need to prepare for a significant amount by having a robust process in place. Companies can use data science platforms to implement a sound process and practise the process up to implementation. Since violations of GDPR result in steep penalties, organisations that set up a process now have time to find faults in their internal system and alert necessary team members.
Furthermore, a data science platform can automate this process for companies while maintaining transparency about who does what within the organisation. Those investing in a platform ought to begin now in order to train appropriate team members and update the company on best practices.
When a data subject requests information, GDPR stipulates that the information is given in “a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.” Companies can no longer use vague language about consumer data meant to confuse or mislead an individual. This means all privacy notices most likely have to be rewritten in order to comply to GDPR.
Businesses should take stock of all privacy notifications, assess if the information could be read by a child and rewrite accordingly. Furthermore, companies most likely will now have to create new privacy policies, as GDPR grants more access to data. Once businesses solidify data subject request processes, they should write corresponding notices that are easy to understand.
Adaptability and Scalability
Again, some of the language used in the GDPR is vague, which means companies need to put in place processes that can adapt to change. Furthermore, the solution needs to be scalable as well, in order to process more data subject requests. Companies should use technological platforms that allow transparency within the team, along with compliance with GDPR. Since these regulations are new, there will be a learning curve, but businesses with organised solutions in place will be better off than those trying to adapt later on.
Addressing these five challenges is just the beginning to becoming GDPR compliant. There are many smaller structural changes organisations will need to make as well. However, by using a technological solution that can streamline the process, companies will be in a better position to make smaller changes. Especially for companies that do not hire a Data Protection Officer (DPO), having a data science platform will be crucial for teamwide collaboration. Those companies with a DPO can benefit from a data science platform as well, which will allow the entire company transparent knowledge about all things data.
To learn more about Big Data and GDPR download the free whitepaper “Five Essential Pillars of Big Data GDPR Compliance“