Got GDPR Anxiety? Here Are 3 Must-Do’s
The tech community has been discussing European Union’s General Data Protection Regulation (GDPR) as if it were a natural disaster, rather than a law. “Are you ready for GDPR?” say all emails from vendors hoping to milk the confusion.
More than enough articles have attempted to decipher the rules, predict winners and losers or pour gasoline on our collective fears. Let’s take a different approach: If you run a tech company, serve EU citizens, and even have a GDPR consultant, what are potential ‘blind spots’? And beyond merely complying, how can you manage GDPR gracefully once enforcement begins on May 25, 2018?
- Understand your personal data relationships
The responsibilities of handling personal data are divided into two roles: controller and processor. Depending on which role you play, the legal responsibilities change.
Controllers control personal data – any information that could identify a person (name, email, address, location, etc.). Processors process that personal data on behalf of controllers. This distinction can be messy as your company could be a processor in some relationships and a controller in others. You could even have multiple processor-controller relationships with one company.
If you and your sales and marketing team use Salesforce, you’re the controller, and Salesforce is the processor. If customers ask you to delete their Salesforce record, exercising GDPR’s “Right to be forgotten,” you’re responsible for fulfilling the requests. Salesforce is responsible for enabling you to fulfill the request. Processors provide the delete button; controllers click it.
Beware B2B Companies: one processor might serve another processor. For example, my company SysAid provides an IT service management (ITSM) platform. Customers store personal data in our help desk solution. That makes our customers the controllers and SysAid the processor. However, our cloud platform runs on Amazon Web Services, so Amazon is a processor to SysAid. Amazon controls personal data of some SysAid employees, perhaps in a CRM file or in an Amazon.com shopping account. But those are separate, unrelated relationships.
Get clear on which role you play in every relationship. Before GDPR is enforced, every contract will need an addendum defining who is controller versus processor. Don’t assume that your vendors or clients are clear on the differences and responsibilities.
- Simulate GDPR requests
EU citizens can ask you to reveal, correct or erase their personal data under GDPR. They can also ask you to stop processing their data in specific ways (e.g. no personalized advertisements) and may even ask for a portable, machine-readable copy of their data (check out GDPR Chapter 3 for details). You do not want these requests bogging down your IT and support staff. Simulate GDPR requests and figure out how to automate them.
As a processor, consider what your customers (especially controllers) will need to do in your system. Draft an FAQ that, rule by rule, explains how your controller can support the “Rights of the data subject.” We’re building our FAQ into workflows that will guide IT staff through GDPR requests. That way, our controllers can respond quickly and independently. We know that investigations are possible, so the workflows document each step and stamp actions with a time and date.
In the consumer tech business, controllers especially need to invest in self-service for GDPR. Note that Google already had a tool for account holders to download data and highlighted it in an article on its GDPR preparation. Facebook hasn’t announced much about GDPR. However, you’ll notice that its Ad Preferences page, buried in your privacy settings, can handle GDPR requests, such as shutting off targeted ads (a type of data processing). Your platform might have GDPR tools that just need to be organized into one, well-labeled user interface.
- Consider GDPR fines
No company is immune to a data breach, which is one of the quickest ways to get slapped with GDPR’s top fine: €20 million or 4 percent of revenue, whichever is greater. Regulators don’t just send a bill to whomever they assume to be responsible – they investigate.
Controllers have 72 hours to alert regulators after a breach, and must notify people at risk “without undue delay.” Processors are expected to notify the controller ASAP if they detect the breach first. More importantly, EU regulators want to see that your company (whether you’re the controller or processor) did everything reasonably possible to prevent the incursion and protect personal data. They’ll focus on your cybersecurity processes – what you say you do – and governance – how you track and enforce execution of these processes.
Consider the Meltdown and Spectre vulnerabilities that swept the tech headlines earlier this year. Had they surfaced after May 25 and led to data breaches, the EU would have investigated. GDPR doesn’t say, “Thou shalt encrypt all personal data.” Still, if a company leaked unencrypted data due to Meltdown or Spectre, regulators might deem that company negligent in addition to blaming the processor manufacturers. Until investigators set precedents, GPDR is open to interpretation.
In other words, GDPR doesn’t prescribe how to protect data, but EU regulators still judge whether you took sufficient precautions (fair, right?). Update your processes and governance as if you we’re expecting an investigation. Be ready to show that you took exhaustive measures to protect personal data.
On the bright side….
GDPR rules are nebulous, tricky and unpredictable. That’s why it feels like a force of nature and has caused so much scaremongering.
On the bright side, GDPR enshrines the principle that people are the masters of their own data. From my perspective, this philosophy could be a turning point for cloud technology vendors. Many European companies have hesitated to adopt the cloud due to the lack of governance around data. But under GDPR, cloud vendors acting as processors share the legal burden of protecting data. Beginning May 25, they will pay a price for shirking that responsibility.
If this article sounded like gibberish, or GDPR still seems like a natural disaster, stop Googling articles. Go hire a GDPR consultant today.
Sarah Lahav is CEO of SysAid.