Privacy has been the new normal for a while now, but the General Data Protection Regulation (GDPR) ups the stakes. With it now in effect, you’ve likely met the initial requirements for compliance . But there’s always going to be more to do, and there are less obvious impacts you need to keep on top of.
First things first
By the time GDPR went into full effect May 25, 2018, there were several things you were expected to have done.
For starters, you had to understand if you were in scope of the European privacy legislation, which is based on citizenship, not geography. Were you collecting and storing information about European citizens? There’s a good chance the answer was yes. From there, some of GDPR’s requirements were quite clear from the outset.
First, you needed to have a framework for breach notification: Under GDPR, a breach notification must be done almost immediately. It requires that an organization suffering a breach posing a risk to individuals must notify the relevant Data Protection Authority (DPA) within 72 hours, and affected individuals without undue delay.
Second, you needed to make sure you had consent from individuals to use their personal data, use it only for what it’s intended for, and renew consent if the purpose changes. The latter includes that individual’s “right to be forgotten.” A data subject can choose to withdraw that consent, meaning any personal data must be destroyed immediately. That puts the onus on the organization to understand the complete lifecycle of their data, from onboarding to storage.
Finally, GDPR requires that any organization that’s a public authority, engages in large-scale systematic monitoring, or engages in large-scale processing of sensitive personal data, appoint a Data Protection Officer (DPO). Even if you don’t fall into those categories, it probably made sense to identify a person or create an integrated team with the right skillsets to liaise with the DPA.
The simplest way to boil down GDPR is to understand it’s all about people having a right to know what data you have of theirs and where it is, and then giving you permission to use that data. And that’s where things get tricky on an ongoing basis if you’re to remain compliant with what GDPR is today, what it might be tomorrow, and other new and existing regulations, such as the Personal Information Protection and Electronic Documents Act (PIPEDA).
Compliance unearths hidden pressures on privacy
Now that GDPR is full effect, you’re seeing the downstream effects of staying compliant. You’re seeing your business processes in a new light and fully realizing you need be ready for the long haul.
And beyond the initial compliance requirements you’ve already met, you may be discovering several other ramifications of the legislation:
- Risky travel: Not only does GDPR require that you know where your data is stored, but how it gets there. Even if it’s virtually instantaneous, transmission of data isn’t always direct, and one of the quick stops could put it an “unfriendly jurisdiction” and for a nanosecond, it’s at greater risk.
- Siloed applications: Deleting a file is straightforward in theory, but in practice, there could be multiple instances if business units operate in their own siloes. The result is duplicate records within the organization.
- More data than you need: Today it’s become standard practice to gather as much information about your customers as possible. But once you have it, you’re responsible for keeping it safe. You may want to rethink what data you actually collect.
- Sudden scrutiny: GDPR isn’t a reporting regime. You didn’t have to report by the deadline that you were in compliance. However, should you have a data breach, it may not only result in litigation, but it could lead to a complete audit by the DPA.
- Not just customers: You’re not just required to protect the data of customers who are European citizens. They could also be employees, patients, charitable donors, taxpayers, investors and stakeholders, among others.
This is just a handful of the nooks and crannies affected by GDPR—the legislation seeps into every business process. Privacy as the new normal means creating an entire culture shift within your organization so that every employee contributes to a state of readiness for GDPR today, two years from now, and for any other regulations that may arise.