By Tim Jesser, Director of Global Product Marketing, Snow Software
After years of speculation and two years of stark warnings, it’s finally here. Enforcement of the EU’s General Data Privacy Regulation (GDPR) is in effect, but according to a report from the Ponemon Institute released last month, nearly half (48%) of organisations didn’t expect to hit the May 25th deadline, or didn’t know when they would.
Some organisations area couple of years into their GDPR journey, while others have left things a little late, only recently realising the monumental effort required to achieve compliance.If you are in the latter group, which if the statistics are to be believed is quite a number of organisations, you don’t need to panic just yet.
That doesn’t mean you should be taking it easy. The longer you delay, you increase the risk of spending an inordinate amount of time scrambling to respond to regulators, taking precious focus away from achieving business goals. The hardest part of any journey is starting, so if you’re still formulating your GDPR plans, here are a few steps that will simplify the process.
- Appoint a data protection officer
Under GDPR, a Data Protection Officer (DPO) is required for all public authorities organizations that regularly process personal data, or organisations that process sensitive personal data. Banking and finance fits squarely within the latter two categorisations, which means nearly all organisations in this industry will need to hire a DPO. With estimates of needed DPOs estimated at 75,000, competition will be significant and it is recommended to start the search now if you haven’t already.
- Focus on the articles that matters most
With 99 articles, GDPR isn’t a quick read. Fortunately, not every article is created equal and focusing on the most important information up front will stand you in good stead. These are:
- Article 30: Records of processing activities (RoPA). The RoPA centres on identifying where personal data is being processed, who is processing it and how it is being processed.
- Article 32: Security of Processing. Within Article 32 is the “technical and organisational measures” language which states that organisations must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Remember that ‘appropriate’ means just that. Don’t let GDPR alarmists tell you that ‘appropriate’ means you absolutely must buy their state of the art security software. The truth is we don’t know yet how regulators will enforce and interpret this article and others. Do your best, document your efforts, and that will go a long way towards satisfying regulators.
- Article 35: Data Protection Impact Assessment (DPIA). A DPIA is the documentation of especially sensitive data processing and the protection measures that have been established for this processing.
- Get enterprise wide visibility
Most organisations beginning their journey to GDPR compliance, understand the importance of identifying the location of prominent personal data repositories such as ERP systems, along withCRM tools such as Marketo and Salesforce. But these commonly used systems often represent just a fraction of the resources that process personal data.
Like an iceberg, the vast majority of such applications are considerably less visible to the business and not necessarily front of mind for the GDPR team. Of significance here is the growing number ofSaaS applications purchased by business units with little to no involvement by IT. If you can’t find a way to gain total visibility of your software and IT assets, you really don’t have much hope of being GDPR compliant. Establishing GDPR compliance requires complete visibility of all personal data repositories across the enterprise.
- Shine a light on blind spots
Blind spots are the‘unknown unknowns’; a phrase made famous by former US Secretary of Defense, Donald Rumsfeld. You don’t even know you have them. Blind spots can be particularly problematic when it comes to personal data repositories. It is important to utilise automated discovery tools to uncover all personal data repositories across the enterprise.
You need to be particularly aware of the data held on mobiles. Not only do these devices maintain personal data, they also process information on the user. In addition, they are especially susceptible to be being lost, potentially running afoul of GDPR directives on maintaining control of personal data.
- Buildyourpeople, processandtechnologyas one
There is no silver bullet to GDPR compliance. No single application tobuy or consultant to hirethat will take away all GDPR pain. Instead, compliance takes a combination of people, processes and technology.
People: Set up a cross-functional data governance team, made up of the DPO, IT leaders and business leaders from a range of functions including Compliance, Legal, HR, Customer Service, and Marketing. Befitting the criticality of GDPR compliance, this team should report to the Board of Directors.
Processes: Once the data governance team has defined what personal data means, they need to share this understanding across the organisation. In addition, privacy rules must be documented and shared across all lines of the business.
Technology: There are a number of solutions that can accelerate and maintain GDPR compliance including:
- Case management systems for handling data subject requests
- Data discovery systems for finding applications, structured data, and unstructured data
- Identity and Access Management to track role management and who has access to which data
- Software Asset Management can help create the system, users and device visibility required to ensure claims of “compliance” are based on a complete understanding of the enterprise
There is still time to become GDPR compliant before it has an ill effect on your organisation. But in an industry where sensitive customer information is prevalent, you may not get as much wiggle-room as those operating in other sectors. Take note of the above, start the process of getting yourself organised sooner rather than later, and you’ll find that you’re a long way towards being compliant before you know it.