Well, the end of May is here and GDPR is now in effect. Realizing that all along, I’ve stated that the articles that I’ve written are a three-part series, I find myself needing to write one last article on the Regulation.
Actually, the conversation with my compliance manager went something like this “Sue-you’ve written a series of articles telling everyone how to prepare for GDPR. How can you not write about what to do after the Regulation goes into effect? You’re doing a disservice to the industry.” This discussion occurred over and over and over until I finally gave in. So, Michael – this article is dedicated to your relentless pursuit of compliance to the Reg.
What is also amazing, is to know that I was able to communicate the importance of GDPR to people all over the world and I thank those individuals that reached out with questions, as I was only too happy to help in your quest to reach compliance. For those that incessantly called to sell me a GDPR product or service – I’m think I’m good. In fact, I’m taking May 25th off – as we are prepared and I’d even go one more step to say that we are in compliance.
If you have not seen the previous articles that I’ve written – let’s go back in time. The first article talked about the ambiguity of the Regulation. Then, we discussed the outrageous fines for non-compliance. Last month, we touched upon the impact to the business and how technology can help. For this final article, we’ll discuss the final stages of preparation and ongoing maintenance.
The next question is a check-point. If you have been paying attention to my articles and are doing business with a European Union citizen – no matter where they are located in the world and are a company with a population of 250 or more – then the Regulation applies to you. So, tell me, are you ready for GDPR?
We just spent the latter part of the last year preparing for GDPR. I’m serious, you really do need to test. Test…test what?? Well, ask yourself, have you tested processing a SAR (subject access request)? Have you tested the creation of a DPIA (data processing impact assessment)? Have you rewritten a standard DPA (data processing agreement) and asked every customer, supplier and vendor to sign the document? Have you reviewed and potentially modified the company’s privacy statement? Are you doing business in a European State that has other privacy laws that may or may not abide by the Regulation? How are you testing these scenarios? Have you created detailed workflow plans to test every type of GDPR request? Does the company have a review board to understand and consider the PII (personal identifiable information) that may be a part of the SAR request? Do you know who in the organization can see, search for or process PII? And lastly, are there safeguards in place to ensure that the data subject is indeed the person who can request, receive and see the data in response to the SAR request? If you haven’t tested all of these scenarios, then you are not ready for GDPR and in fact, your company is woefully unprepared for the Regulation.
Lastly, has a ‘surprise’ test been run to test the staff that is responsible to process the above items? If you have answered ‘no’ to most of the above questions – you’ll need to admit to yourself that your company may be subject to a fine; if a supervisory authority knocks on your door. How quickly can you back pedal to the questions regarding a data subject, their PII and your company’s ability to process or stop the processing of data? Can you prove what you’re saying is indeed valid?
Let’s not kid ourselves, some company out there is going to be made an example of and will pay the hefty fines….so, tell me, is it your company?
Here’s where the rubber meets the road and you’ll need to ask yourself, what happens on May 26th when 1 or 10 or a 1000 or 10,000 SARs are requested, and your company only has 30 days to respond?
Types of Requests
As a reminder, when an EU citizen requests the following through a SAR, a response would be needed to comply with the law. Automation is a key component of satisfying a SAR request.
- Right of access by the data subject
- Right to rectification
- Right to erasure or to be forgotten
- Right to restriction of processing
- Right to data portability
- Right to object
Another area of clarity that has changed over the months, is if a security breach occurs that is either accidental or an unauthorized intrusion; then a communication to the Supervisory Authority and to your customers is needed – within a 72-hour timeframe. Companies are now hearing that 72 hours is not adequate to communicate a breach and the EU prefers that the timeline be within 12 to 24 hours at most. Within this timeframe, at best, we are looking at a high-level communication – as most companies would need additional time to perform forensic analysis on a breach and this could take weeks, if not months.
The last article discussed the technologies that can anonymize data and that this is one way to protect PII, but technology alone is not enough to achieve compliance. Policy and processes are also needed to be included in the mix, for a 360° view into the applications that process employee and customer data.
In closing, I hope that you’ve enjoyed these articles and that I’ve been able to help in providing education to yourself and your company regarding the Regulation. As always, feel free to reach out with questions.
@2018 All Rights Reserved
Sue Bergamo is the CIO & CISO at Episerver, a global digital commerce company. She can be reached at firstname.lastname@example.org.
*The content within this article are the sole opinions of the author.