How should organizations, both in the European Union and across the globe, address the complex data management requirements that are in the General Data Protection Regulation (GDPR)?
With a two-year lead time to prepare for it, the GDPR comes into force May 25, 2018 — ready or not. Even after fundamental education is acquired on the initial version of this complex and weighty regulation, there have been and will continue to be clarifications (called recitals) that are published regularly to aid in interpretation.
Given this fluid context, what do we know about the provisions that organizations should rally around now? What are the implications and solutions that are necessary on the handling of personal and sensitive data?
Here, I will explore the fundamental themes in the GDPR and the data management controls that support the core path to complying with the regulation.
GDPR AND DATA MANAGEMENT CONTROL THEMES
There are many published lists of topics in the GDPR that roughly link to the “articles” or sections in the regulation. Grouped into three areas, the long list becomes a little more digestible to discuss.
1. FOCUS ON DATA SUBJECT RIGHTS
There are six GDPR themes that specifically address privacy rights and data rights of “data subjects” or individuals — whether they are customers or employees. This covers their Personal Identifying Information (PII) and Sensitive Personal Information (SPI).
| DATA SUBJECT RIGHTS |
|---|
| Right to Be Forgotten |
| Data Subject Consent |
| Right of Data Portability |
| Right of Access |
| Right to Object |
| Profiling (Personalization) |
| Breach Notification |
Implications for Data Management Controls
Organizations must provide a:
- Method for capturing and keeping the individual’s explicit consent for the specific uses of their data and for each different use over time
- Mechanism for inquiry into the uses made of the individual’s data (and any objection) and a way to request complete removal of their data from anywhere in the organization
- Process for responding to individual inquiries to attest to the removal of data, and/or blocking certain or all uses of personal data and/or allowing personal data to be used with other organizations (“portability” purposes)
- Process for notifying individuals of any security or privacy breaches to their PII/SPI, as well as the Data Protection Authority (DPA), including information on what types of personal data was exposed and the implications and recommended personal actions to take for mitigation of risk
Solutioning
The handling and communication of data uses has wide-spread implications for technical solutioning, alignment of policies and procedures across impacted organizations.
Customer Relationship Management (CRM) systems will be front and center. For example, point of contact (websites and transaction processing) notifications on proposed uses of individual data in clear language with logging of choices will be required. How and if an individual chooses marketing materials to be sent to them must be tracked and filtered on marketing initiatives. Also, how and if they wish to be involved in the profiling in order to enable marketing initiatives to them must also be tracked and made available to all projects and programs. Changes in preferences must be enabled, including requests for complete removal.
Metadata solutions, including basic definitions on data elements, data lineage in and identification of personal data “packages” by individuals are required. Deep integration will be needed across IT architectures from the front office to back. Metadata tracking where personal and sensitive information flows in your organization is critical so that inquiries on usage and removal can be practically supported and evidenced.
Enterprise policies and standards communicate what behaviors are required across the organization when handling personal data and must reflect the requirements of the GDPR as appropriate to the organization.
2. TECHNICAL CHANGE
| Tech |
|---|
| Data Security |
| Privacy Impact Assessments |
| Retention/Destruction |
| Cross-border Transfer |
| Pseudonymization |
Implications for Data Management Controls
- Regulations will require a review of security and privacy provisions and projects launched to fill any gaps, including analysis, coordinated response, reporting and informing impacted individuals and also, as appropriate, the DPA.
- Understanding the technical supports under the data flows and security provisions is key to control of cross-border transfer of personal and sensitive data to countries that may not have the required protections. Marks, certifications, legal advice and audits may be necessary based on risks assessment.
- Pseudonymization of data with a retention and destruction plan are techniques to ensure protection and limiting exposure of data.
- Privacy Impact Assessments (PIAs) are performed for all new proposed uses/exposure of PII/SPI, in order to monitor and enforce compliance to protection policies and standards.
Solutioning
Security and Privacy
Reporting on an “impactful” data breach to the DPA within 72 hours of becoming aware of the breach is part of the new regulation. The organization must make sure that it understands what makes for an impactful breach and have a process for addressing and reporting breaches. The organization should implement best practices for breach detections with desktop dry-runs regularly tested for coordinating the analysis, reporting and response to impacted individuals.
Pseudonymization mechanisms require technical study for adequacy and should be added to the enterprise architecture as necessary. Retention and destruction of personal and sensitive data has been largely ignored in organizations in the past due to low-cost storage devices relative to the effort to deploy destruction provisions. GDPR is pushing the shift on this, as the risk of penalties for retention past the individual approved uses and company policy-driven needs drive appropriate action.
Enterprise Architecture
With the GDPR, a data life cycle approach to architecture designs is needed. A first step is to perform a current-state review for controls on data flows and uses, as well as traceability for PII/SPI. A need for new tools may emerge for tracking requests from customers and employees on their data, as well as risk and impact assessments, breach detection and pseudonymization. Audit capability for this tooling must be supported, as well.
Data that flows across borders carries regulation compliance implications and requires inspection.
Organizations should consult with Legal and Risk, the Data Protection Officer (DPO) and other stakeholders on the current-state assessment results, as well as the proposed remediation plans. This will help ensure that compliance approaches are reasonable and to scale. By keeping a watchful eye on the emerging regulation’s best practices and case law, these real-world scenarios will help inform an organization’s GDPR plans and projects.
Technical processes and procedures must include formal approval gates on the new uses of PII/SPI to make sure data management controls in the metadata, architecture and CRM areas are planned into projects and that there is adequate funding for these to be designed and integrated into project deliverables. Legal, the DPO and other stakeholder input may be sought to clarify what controls and at what depth are necessary in specific circumstances. (Note: This level of peer organization involvement in IT projects may be new to some organizations.)
Technical Change Management
Many applications exist for the tracking of PII/SPI with critical features that track specifics on the data, the applications, data flows, projects, designs, risk analysis, approvals and deployment. All of this data is important for papering the activity for internal and possible external audit.
3. ORGANIZATIONAL CHANGE
Today, with privacy and security issues top of mind across the globe for CIOs and CEOs, organizations are changing the way they deal with these significant issues. Organizational behaviors must change in addition to providing audit trails to evidence the practices. An organization with the right set of interactions and communications will keep its GDPR program on track.
| Organization |
|---|
| Training and Communication |
| Privacy Notices |
| Codes of Conduct/Certifications |
| Organization for GDPR |
| Contracts |
Implications for Data Management Controls
At First San Francisco Partners (FSFP), we’ve seen organizations opt for locating the control center for GDPR in Security, Privacy, IT, Risk or Legal with a DPO designated internally or through external representation. Over time, the GDPR assurance organization shifts as the regulation’s implications are more fully understood. And what begins as a project must become a long-standing, integrated program.
The chain of responsibility in the handling of PII/SPI is recognized in the GDPR, and Legal must review the expectations with business partners who receive and/or process this data.
In our consulting practice, FSFP recommends that an organization’s Data Governance function play a role coordinating the interactions and establishing oversight in concert with the DPO and acting as the GDPR communications and planning center.
Solutioning
Organizational Change Management is critical. The entire GDPR regulation requires changes to various aspects of an organization’s structure and business objectives. GDPR-driven changes, in our experience, are not easy. Even with a regulatory mandate, there can be significant resistance, fear, understanding and education challenges.
Without formal, well-planned, change management activities in the form of internal communications, training, briefings, formalization in codes of conduct and education delivered to the right audiences at the right time, the success of the re-organization and implementation of new GDPR processes is at risk.
Communications cannot be “one-way” and should be backed by an organization-wide plan with a continuous improvement cycle. Collecting feedback on effectiveness and gaps and addressing these areas is critical, as well as looking for opportunities to reinforce key messaging. These follow-up activities, as well as a significant GDPR compliance presence in the company, will support the GDPR program long term.
A significant data integration with partners requires cataloguing at the data-element level and with streaming and downstream processing documentation. Contents of the data flows and legal contracts with third parties require analysis and possible rework to meet the regulation requirements. Ongoing changes to data sharing require documentation, and the data sharing catalogue must be maintained for audit purposes.
THE GDPR AT YOUR ORGANIZATION
While the GDPR regulation may appear to be one size fits all, the key to establishing the framework and managing it long term at your organization will be an individual and customized process. You’ll need to examine the regulation and its implications in the context of all data-related practices, view exposure areas through the lens of risk and remediation activities that work for your organization and stay abreast of GDPR clarifications and recitals.
