The General Data Protection Regulation, more commonly known as GDPR, has received an incredible amount of attention in the last year. And rightfully so, as it will affect any organization that collects or analyzes any data pertaining to European Union (EU) and European Economic Agreement (EEA) member citizens - even including cookie tracking and IP addresses. The general goal of this regulation is to strengthen data protections under a unifying system for all individuals in Europe and to allow citizens more control over their personal data.
Of course, this affects many companies in North America that do any business in Europe if personal data is part of the transaction. It also changes the way European companies are allowed to transport personal data across borders. With these considerations in mind, we here at Gimmal reached out to some of our customers to try and understand what effects the GPDR will have for them.
In this first round of survey results, we examine how these organizations are managing the urgency of compliance, as well as what they are doing to make sure they get the job done right.
How high a priority is GDPR compliance?
With penalties of 4% total annual revenue or 20 Million EUR (whichever is greater), GDPR represents a major challenge for businesses assessing their compliance policies in advance of the May 25, 2018 enactment. Among organizations we've spoken to, the consensus is that GDPR compliance is very important, but also must be prioritized. One organization stated that it is high on their list "because of the activity volume and high risk."
Another organization stated that they started working on GDPR in Q1, using an internal team as well as outside consultants (20 full-time and part-time individuals total) to ensure they are GDPR compliant in time for the May 2018 deadline.
Urgency depends upon exposure
One other major point we have seen is that the urgency for compliance depends highly upon industry. Consumer-centric companies are (rightfully) anticipating that they will receive greater scrutiny in the first months after implementation, while other organizations believe they have more time to focus on doing it right. The Chief Privacy Officer of a specialty chemicals company states: "It’s a long game, not a one-time big event. It’s more of a steady, sustained approach. [...] GDPR implementation needs to be done right, systematically, and consistently [...] in a world of competing resources."
Managing conflicting requirements
Two of our respondents also pointed out unique scenarios that introduce ambiguity into how best to assure compliance. One states: "There can be a conflict between the Federal Rules of Civil Procedure (FRCP) and GDPR requirements. FRCP rules govern civil procedure in US district (federal) courts, including producing documents in timely fashion, perhaps from data repositories, email systems, and file shares containing personal data."
Another brings up this scenario:
Here’s a good example – records related to hotline calls. Under the EU data authority, they want you to delete information about EU data subjects. Say there is a complaint about inappropriate behavior in the workplace or financial fraud, you have to investigate. If it is determined that the allegations are unfounded, you must delete the information. We are required to report complaints to our Board of Directors because of Sarbanes Oxley (SOX) requirements to establish a hotline. We have had the hotline for years. How do we marry those two requirements together? One option is anonymization of data which may require a separate retention period for anonymized data.
There is no one regulation that is more important than the other. Organizations need to examine every scenario and find solutions that satisfy both competing priorities to the best of their abilities.
How is your organization deciding what people and teams are responsible for implementation?
This is an important first step to understanding the compliance needs and those interviewed understood that point. An apparel manufacturer mentioned that they started with a gap assessment to understand where they were, then established an action plan, and are currently in the process of implementation.
An energy company we interviewed was also being thorough:
Yes, we have a dedicated data privacy team with lawyers and other subject matter experts. The program is driven primarily out of Europe; however, we made a decision to implement globally regardless of country for all businesses. We have identified Data Privacy Focal Points and provided additional training for them. Also, we conduct a data privacy assessment of each work group/business segment to determine what people understand about data protection, where personal information exists, and how to ensure it is protected.
Another energy company interviewed is confident that their existing policies and teams already fulfill their needs in this matter, while another organization is using this initiative as an opportunity to formalize a team around compliance that was working on an ad hoc basis to fulfill Safe Harbor mandates (invalidated in 2015).
Thoroughness wins the race
Overall, we are seeing that organizations are more concerned with getting it done right than getting it done quickly. This is a promising sign, but May is fast approaching.
In our next piece in this series, we'll examine how the need for GDPR compliance is affecting the way organizations are dispositioning records and ROT (redundant, obsolete, and trivial information), as well as which business systems are affected by this regulation.