The European Union’s General Data Protection Regulation (GDPR) goes into enforcement in four short months, and many are talking about the regulation as if it were a natural disaster: “Are you ready for GDPR?”
While there’s no need for panic — especially if you’re already working towards compliance — there are a few elements of the regulation that can be easy to get wrong and so are worth a little extra focus. Let’s take a look specifically at those areas:
1. Get clear on your ‘controller’ and ‘processor’ relationships
GDPR divides the responsibilities of handling personal data into two roles: controller and processor. The legal responsibilities change depending on which role you play.
Controllers control personal data – any information that could identify a person (name, email, address, location, etc.). Processors process that personal data on behalf of controllers. This distinction creates a messy, Russian-doll system because your company could be a processor in some relationships and a controller in others. You could even have multiple processor-controller relationships with one company.
Do your sales and marketing teams use Salesforce? You’re the controller, and Salesforce is the processor. If customers ask you to delete their Salesforce record, exercising GDPR’s “Right to be forgotten,” you’re responsible for fulfilling the requests. Salesforce is responsible for enabling you to fulfill the request. Processors make the delete button; controllers click it.
B2B companies beware: One processor might serve another processor. For example, my company makes an IT service management (ITSM) platform. Customers store personal data in our Help Desk solution. That makes our customers controllers and my company a processor. However, our cloud platform runs on Amazon Web Services, so Amazon is a processor to us. Amazon controls personal data of some of our employees, perhaps in a CRM file or in an Amazon.com shopping account. But those are separate, unrelated relationships.
Get clear on which role you play in every relationship. Before GDPR is enforced, every contract will need an addendum defining who is controller versus processor. Don’t assume your vendors or clients are clear on the differences and responsibilities.
2. Prepare for GDPR investigations
They used to say the only certain things in life were death and taxes. Add cyberattacks to that list. No company is immune to a data breach, which is one of the best ways to get slapped with GDPR’s top fine: €20 million or 4 percent of revenue, whichever is greater. Regulators don’t just send a bill to whomever they assume is responsible – they investigate.
After a breach, controllers have 72 hours to alert regulators and must notify people at risk “without undue delay.” Processors are expected to notify the controller ASAP if they detect the breach first. More importantly, EU regulators want to see that your company (whether you’re the controller or processor) did everything reasonably possible to prevent the incursion and protect personal data. They’ll focus on your cybersecurity processes – what you say you do – and governance – how you track and enforce execution of these processes.
Consider the Meltdown and Spectre vulnerabilities that just swept headlines. Had they surfaced after May 25 and led to data breaches, the EU would have investigated. GDPR doesn’t say, “Thou shalt encrypt all personal data.” Still, if a company leaked unencrypted data due to Meltdown or Spectre, regulators might deem that company negligent in addition to blaming the processor manufacturers. Until investigators set precedents, GPDR is open to interpretation.
In other words, GDPR doesn’t prescribe how to protect data, but EU regulators still judge whether you took sufficient precautions (fair, right?). Update your processes and governance as if you we’re expecting an investigation. Be ready to show that you took exhaustive measures to protect personal data.
3. Make sure you have an automated response system in place for GDPR requests
Under GDPR, EU citizens can ask you to reveal, correct, or erase their personal data. They can also ask you to stop processing their data in specific ways (e.g. no personalized advertisements) and may even ask for a portable, machine-readable copy of their data (check out GDPR Chapter 3 for details). You do not want these requests bogging down your IT and support staff. Simulate GDPR requests and figure out how to automate them.
As a processor, consider what your customers (especially controllers) will need to do in your system. Draft an FAQ that, rule by rule, explains how your controller can meet the “Rights of the data subject.” At my company, we’re building our FAQ into workflows that will guide IT staff through GDPR requests. That way, our controllers can respond quickly and independently. We know that investigations are possible, so the workflows document each step and stamp actions with a time and date.
Controllers in the consumer tech business especially need to invest in self-service for GDPR. Note that Google already had a tool for account holders to download data and highlighted it in an article on its GDPR preparation. Facebook hasn’t announced much about GDPR. However, you’ll notice that its Ad Preferences page, buried in your privacy settings, can handle GDPR requests such as shutting off targeted ads (a type of data processing). Your platform might have GDPR tools that just need to be organized into one, well-labeled user interface.
The bright side to GDPR
The rules of GDPR are nebulous, tricky, and unpredictable. That’s why it feels like a force of nature and has caused so much scaremongering.
On the bright side, GDPR enshrines the principle that people are the masters of their own data. This philosophy could be a turning point for cloud technology vendors.
Many European companies have hesitated to adopt the cloud due to the lack of governance around data. But under GDPR, cloud vendors acting as processors share the legal burden of protecting data. Beginning May 25, they will pay a price for shirking that responsibility.
Note: If this article sounded like gibberish, or GDPR still seems like a natural disaster, stop Googling articles and go find a GDPR consultant.
Sarah Lahav is CEO of SysAid.