By Mariann McDonagh, CMO, erwin, Inc.
The European Union’s Global Data Protection Regulation (GDPR) has a broad wingspan. No company is exempt from its reach, and neither are any members of its partner network. Under the new rules, every company and its third-party processors – including partners — are now directly and legally obligated to be in compliance.
The mandate’s requirements apply to any business in any sector – regardless of where the company is based – that counts even one EU citizen among those it serves. And the penalties for failing to meet GDPR requirements are severe. Fines could be up to €20 million or 4% of the company’s global annual turnover for the previous year, whichever is greater.
Although the effective date for GDPR compliance – May 25, 2018 – is fast approaching, many organizations remain unprepared for the standard. That’s particularly apparent among those that don’t call the European continent home. Just 6% of North American enterprises say they’re ready for the upcoming regulation, according to the 2018 State of Data Governance research conducted by erwin and UBM.
So how can you prepare for GDPR?
GDPR has been proclaimed as the most comprehensive data privacy law in the world, and the demands it makes on organizations are suitably all-encompassing. Protecting what traditionally has been considered personally identifiable information (PII) – people’s names, addresses, government identification numbers and so forth – that a business collects and hosts is just the beginning of GDPR expectations.
For one thing, personal data now means anything collected or stored that can be linked to an individual (right down to IP addresses). And the term doesn’t apply only to individual pieces of information but also to how they may combine to reveal relationships. For another, this is no longer just about protecting the data a business gathers, processes and stores itself but also any data it may leverage from third-party sources.
Other highlights of GDPR you and your partners should be familiar with include:
While you are working diligently to help ensure your own organization is compliant with GDPR, your organization is explicitly responsible for the readiness and conduct of the third parties that collect, store or process your EU citizen’s personal information.
Additionally, the roles and responsibilities have changed under GDPR from the EU Data Protection Act. GDPR defines three important parties: the controller, the processor, and the data protection officer (DPO).
Per the Information Commissioner’s Office, under the GDPR, the contract requirements are wider and are no longer confined to just ensuring the security of personal data. They are aimed at ensuring and demonstrating compliance with all the requirements of the GDPR. The GDPR sets out specific terms that must be included in your contract, as a minimum. The contract must state details of the processing, and must set out the processor’s obligations. This includes the standards the processor must meet when processing personal data and the permissions it needs from the controller in relation to the processing.
Organizations should absolutely be careful when accepting PII data from their partners. At the end of the day, if you accept the data in-house, you should then apply all GDPR policy and controls just like any data you have collected yourself. Even if your partner has permissions and has performed all the GDPR required steps, you as a separate entity still need to get the same permissions and offer the same options to data citizens independent of the partner. A robust data sharing agreement can lessen the impact, but organizations should still do their due diligence. At the very least, you should identify which fields contain PII and which records have to be anonymized at the EU citizens request.
Readiness is the key to success for GDPR and more. Beyond traditional data security and privacy awareness, organizations must expand their data governance expertise, understanding all the systems in which personal data is located and all the interactions that touch it. Understanding the original instance of the data and its entire lineage and how it is handled across the complete ecosystem is critical to ensure that security is applied at all appropriate levels and to quickly detect any points where an individual’s data may have been compromised in the event of a breach.
It also matters to businesses being able to ensure that changes, purges or other customer requests are adhered to in a timely manner. And, unless mechanisms are put in place so that any new systems intersecting with PII are deployed with the right data governance in place, companies will totally miss the boat on the GDPR “by design” requirements.
Moving these initiatives forward in a comprehensive and holistic manner makes sense not only for achieving GDPR regulatory compliance but also for making an organization’s employees smarter with data. Data governance is the engine behind raising the bar on customer satisfaction and better decision-making too.
Many free GDPR assessment tools are available to help your organization determine its readiness and understand how to improve its compliance posture. As a practical starting point for your channel partners, the Office of the Information Commissioner has provided a self-assessment questionnaire which offers many great questions that you can pose to your third-party partners.
Regardless of industry, businesses and their partners must prepare for GDPR now. The bonus is that organizations that take advantage of these capabilities will be well prepared for understanding the data assets they have, aligning them to GDPR requirements, and ensuring they remain in sync as changes take place throughout their enterprises. Even those organizations that have not made significant GDPR progress to date will find themselves empowered to more quickly achieve that goal – while also gaining greater data agility to improve their overall business operations.