Sheila M. FitzPatrick is elevenM’s GDPR Lead. Honoured as one of the Silicon Valley’s Women of Influence for 2017, Sheila holds strategic seats on several committees including the European Union Data Protection Advisory Council, the Asia Pacific Data Protection Framework Advisory Board and the Pacific Rim Privacy and Cybersecurity Advisory Group. Read more about Sheila here.
Deadlines are a powerful motivator. While travelling the world over the past year, including here in Australia, I’ve been energized by the discussions that companies are having about data privacy as they prepare for the European Union’s General Data Protection Regulation (GDPR). But I’ve also been dismayed by the numerous companies who remain oblivious – wilfully or otherwise – to the implications GDPR has for their business operations.
The GDPR comes into force on 25 May, 2018 – that is, less than four months from now, yet many Australian companies are still confused as to whether GDPR applies to them.
In a nutshell, if your business has any interaction with the personal data of an EU resident, then GDPR will apply.
I also see companies struggling with what GDPR actually means and being lured by quick fix sales pitches for tools and technology that claim to make you compliant with GDPR. Vendors, suppliers, and consultants who have never operated in the data privacy space have miraculously become GDPR “experts”, with beautiful brochures and marketing collateral promising that their technology alone will deliver compliance. But, buyer beware: don’t believe the hype.
The high-level concept is simple: GDPR requires that companies have a data privacy legal compliance framework in place. In practice, that will look different for every organisation. That’s why effective compliance will never come straight from a box. Complying with the GDPR requires having a privacy program that lays out your business’s foundation for meeting its obligations around an individual’s fundamental rights to privacy and to own and control their personal data. It incorporates what data your company collects, why and how you collect it, and what you do with it. It takes account of your specific people, processes and systems. Technology has its place, but you must ensure you have the right tools for the right problems.
If you are using outside assistance to help bring you into compliance, there are some key things to consider before you sign on.
Do your homework
When you hire a new employee, you don’t make your decision based strictly on how they sell themselves. You read their resume, interview them, and check their references, because hiring an employee is a long-term investment and a poor decision can have significant consequences. Complying with GDPR is also a long-term proposition that deserves the same level of attention. Just like you would with a prospective new hire, get to know your prospective advisors and their capabilities by digging deeper than glossy sales brochures and snappy product taglines.
If you’re engaging an IT supplier, consider what steps they are taking to ensure that they comply with GDPR. Ask about their privacy framework and the internal policies and processes they have to support it. Ask them specifically how they comply with Australian data protection laws and all other relevant data protection laws.
Choose a company that clearly understands the difference between privacy and security and that takes a holistic view that includes all the processes and tools you need to protect your company and your customers. If you ask a privacy related question and they give a security answer, it is a sure sign that they don’t understand privacy at its core. World class security does not ensure privacy compliance – building a fortress around data you are not legally allowed to have will not save you from the inquisitive eye of European data regulators. And it won’t help restore the trust of customers who feel intruded upon by your organisation.
Information management has become a global proposition, so you want to work with a service provider that has a global approach, not a national one. If you operate in the European Union or provide goods and services to EU residents, member states have laws that also require consideration. Depending on how your business is structured, you many need to comply with the laws of multiple jurisdictions in overlapping contexts. Ask how the provider stays current with new developments in privacy legislation and regulations around the world. If they say that rules in other jurisdictions aren’t ‘relevant’, then keep looking.
Keep your eyes on the prize
As you work to bring your company into compliance, remember your goal. Tools and technology might be part of your solution, but successful compliance with GDPR won’t be measured by the amount of software or data storage that someone installs for you, or the location of your data centre, or the latest data mapping or classification tool you implement. Success will be measured by your ability to demonstrate that you understand what data you’re collecting and what you’re doing with it.
When your service provider is finished, you and your employees should have a solid grasp of several key elements. Firstly, you should know what information you’re collecting about employees and customers, and you should have a procedure to ensure that you have their consent where needed and a lawful right to process data where consent is not an option. You also should know what agreements you have in place with third party providers that collect, process or host information for you. This isn’t the time to pass the buck—you need to know how they protect data that they collect, because they’re doing it on your behalf, and your customers will hold you responsible for their actions. You need to know what data you collect about your customers, why you require that information from them, and what you do with it. If you and your team can’t answer these questions, chances are high that you don’t have an adequate data privacy framework and that you’re not compliant. If that’s the case, it’s time to get cracking.
Don’t cram the night before the exam
If your company hasn’t started preparing for GDPR, don’t panic—just get to work. Start by taking stock of what data you collect and why. If you need external support, don’t be lured by those promising a quick fix – these will only cost you money to give you the appearance of compliance, and the regulators won’t be fooled. Spend the extra time to hire someone that can help you develop a proper privacy framework that will serve you, your employees, and your customers in the long run.
Still have questions?
Read our articles on: