Ready or not, here comes GDPR – IT Edition

Ready or not, here comes GDPR – IT Edition

In a blog post last month I wrote about how to tell if your company’s identity management is ready for the upcoming data protection regulations. That post focused on the business aspects that impact overall corporate strategy and, in particular, marketing and other business functions that handle customer data. This week I’m going to look at IT- and technology-specific areas that are relevant for compliance with the upcoming General Data Protection Regulation (GDPR).

CTOs, CSOs, CIOs and IT departments across the globe have had May 25, 2018, marked on their calendars ever since the European Union announced that the General Data Protection Regulation would go into effect on that date. With good reason too: GDPR will dramatically change how European consumer data can be legally collected, managed and used globally — regardless of where your company or its servers are located, where the data is stored or processed, or if you process the data as a service on behalf of a client.

With “GDPR Day” less than a year away, there’s a lot of work to be done to get into compliance. Where do businesses currently stand and what do IT departments need to accomplish to prepare for the coming storm?

It’s big, it’s hairy, and it’s NOT just an IT topic

Here’s the first and maybe most important piece of advice: If your upper management considers GDPR a problem for IT to solve, it might be a good idea to protest loudly and clearly. GDPR-readiness is an all-hands-on-deck situation, touching just about every corner of the enterprise, and that includes processes as well as goals and activities of business line organizations.

As an example, your marketing organization will have to revisit whether its collection and use of personal customer data complies with GDPR. Web forms and mobile applications might require changes in the way customer data is collected, at registration time and beyond. This could require a redesign of the user workflow that UX/UI teams need to understand and implement. Your company might be obligated to employ a dedicated privacy officer, and this role is likely to live in the legal department. While IT has many touch points with these different groups, IT departments cannot and should not be put in a position where they are expected to make other organizations comply.

Another common misconception about GDPR is that it won’t be a concern for enterprises that have their headquarters and IT operations outside of the EU. Companies often fail to realize that GDPR affects them no matter where they are located and that the new regulation does away with most of today’s “work-arounds” that allow non-EU companies to more or less ignore European data regulations.

That said, IT is a key pillar in any GDPR compliance effort, and it’s the department that is most directly impacted by these changes.

Penalties for non-compliance can reach as high as $23 million, or 4 percent of their global annual turnover. If GDPR is not yet a top-level and cross-organizational initiative in your company, then it is time to make it one.

Making GDPR preparations

Let’s get to the specifics. What do IT departments need to account for when complying with GDPR? Here are the main points to consider:

Provide customer data transparency and consent management

Many of the changes included in GDPR are centered around giving individuals more control over the information they choose to share. GDPR has strict requirements for obtaining approval from users before acquiring and processing their personal data, and the definition of personal data has been extended significantly (compared to preceding EU regulations and even more so compared to most other data protection regulations). For example, IP addresses are considered personally identifiable information (PII) under GDPR.

In addition to overhauling digital consent forms and workflows for greater clarity, GDPR also requires organizations to plainly show customers what data they have collected and for what purpose. Users need to be enabled to view, revisit and change their data usage approvals at any point in time. It is fair to say that this is a capability most digital sites don’t have today, and it’s easy to underestimate the implementation complexity – in particular in organizations with large infrastructure and many potentially siloed systems. As an example, if a user decides to withdraw approval to use their last name, gender or phone number, this change needs to be propagated in a timely fashion — ideally near real-time — across all databases feeding all marketing automation (and other) systems, and that includes outsourced systems that are run by vendors and contractors.

Existing, pre-GDPR data that has been collected in a fashion that is not GDPR-compliant is not grandfathered in, so your business lines may need to ask customers again for explicit approval to use their data. This will not just mean new consent forms and user workflows to be designed and implemented, but might require a dedicated outreach to customers.

Enable the ‘right to be forgotten’

Brands must acquiesce to any request to have customer data removed from their databases. In fact, a key provision included in GDPR’s Article 17 is the individual’s right to be completely erased from a company’s data repository.

Adhering to these guidelines will require some significant changes to current systems, databases and automation stacks. “Forgetting” a customer is easier said than done, and IT must be sure that every scrap of data related to a particular person is removed upon request. If anything slips through the cracks, or your backup brings back old data sets, the business could face a stiff fine. Again, this requirement must be fulfilled across internal and external, outsourced systems that a service provider runs on your behalf. A dedicated CIAM solution that is able to integrate with these systems and act as the master repository can help to support this non-trivial task. Regardless what solution architecture you decide to use, you need to enable your infrastructure to support controlling customer data across your entire business technology stack.

Implement a BCDR and data breach response plan

Every business should already have a business continuity and disaster recovery (BCDR) plan as well as a data breach response plan in place, but GDPR further increases the need for a comprehensive process.

Companies will be required to notify a supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” (Article 32) The immediate aftermath of a data breach can be hectic, to say the least, so it’s vital that IT departments have an established and documented step-by-step workflow for effectively responding to such an event, ensure that their teams are trained accordingly, and that the responsibility to notify authorities is clearly defined and assigned: What authorities need to be notified, what information must be provided, and (most importantly) who in the organization is accountable for driving this task?

Serious events, both in the form of outages as well as breaches, can gain public visibility, result in brand and revenue damage, and could make the company subject to lawsuits. Given those extensive repercussions,  IT departments should make sure this new corporate responsibility is not viewed as an IT-only task, but that it’s clearly defined which internal stakeholders need to be in the loop. IT might be driving the process, but involving other stakeholders must be part of the plan.

A mandatory new role: The Data Protection Officer

Article 37 of the GDPR requires data protection officers (DPOs) to be appointed for all organizations where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale,” or where the entity conducts large-scale processing of “special categories of personal data.”

The GDPR doesn’t help much in specifying where in an organization this position needs to reside, nor what the ideal profile for a candidate would look like. It does require that they have “expert knowledge of data protection law and practices”, and in most companies this role will be in the legal or compliance department. The DPO’s responsibilities include informing and advising data controllers and processors of their GDPR obligations, and to monitor compliance, train staff, and conduct internal audits.

Needless to say, the DPO is a crucial stakeholder and potential driver and owner of requirements, and IT organizations should think carefully how to best ensure efficient collaboration and communication. This is especially true for non-EU companies that plan to position this role inside of their EU branch, and where all central IT functions are located overseas.

Build vs. buy vs. vendor readiness

As with almost any technology implementation, IT departments need to identify where working with partners and vendors to achieve GDPR-compliance is more cost-efficient than in-house implementations.

The GDPR requires more than just that, though, as it holds you responsible for the compliance capabilities of your vendors and contractors. Article 32 separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to comply with GDPR’s requirements.

In other words, companies are well-advised to perform an impact assessment for the vendors that will take on these responsibilities  to ensure these vendors themselves are able to comply.

This due diligence is not only recommended prior to selecting new vendors, but should also be done with existing ones that handle customer data. Not every vendor or technology you employ today will still be the right choice after May 25, 2018. GDPR does introduce new complexity and failure to comply puts significant risk on companies (in the form of lawsuits, fines, and reputation damage).

As an example, let’s say one or more web agencies handle registration and authorization for your digital sites today. It might turn out that these agencies are not well-prepared to align with your BCDR and data breach plans, simply because this was not a strict requirement in the past, it’s not the core competency of these vendors, and maybe not all of them have even started their own preparation process. In addition, they might have implemented multiple data repositories with no clear concept of a master copy, which can make it unnecessarily hard or even impossible to reliably delete a customer’s data set on request and comply with the requirements around the right to be forgotten.

In a case like this, consolidating and centralizing data management and implementing a clear data synchronization hierarchy between systems would be necessary first steps, and that might be achieved by introducing a specialized identity management solution.

Where to go from here

GDPR brings the overall need to revisit how you manage customer identities, and the personal data associated with it, across your systems and across departments. It is also an opportunity to streamline, optimize and improve.

The focal areas described above are meant as a beginning framework from which IT organizations can take a deeper dive into GDPR-readiness. Technology and software tools alone will not make a corporation GDPR-compliant, but they are a key element in this effort.

Hopefully, at this stage, your company’s’ GDPR-readiness efforts are well underway. There’s still a long way to go to achieve full compliance, however. To see where you currently stand and to get more assistance preparing for this monumental data privacy regulation, be sure to review our GDPR Primer and Readiness Assessment.