GDPR compliance: taking a three-pronged approach
Jan Van Vliet, VP and GM, EMEA at Digital Guardian, discusses how businesses struggling with the GDPR legislation can get ahead by adopting a more consistent approach to compliance.
The forthcoming EU General Data Protection Regulation (GDPR) is the largest overhaul of data protection legislation in nearly 20 years. Set to come into force on 25th May, it is designed to replace the many different data regulations across the European Union with one protection standard for the whole region.
The implications of the GDPR will be extensive, but – despite being so close to the deadline – a recent survey, from software company Senzing, found that 60% of European businesses are not prepared for its arrival.
With time running out, these businesses need to step up their efforts in order to ensure compliance before the deadline arrives. HR departments play a crucial in achieving this compliance, but many are still unsure about how to break down the complex legislation into easily actionable activities and processes.
The three prongs of GDPR compliance
The solution lies in adopting a more consistent approach to dealing with the many different areas encompassed by the GDPR, focusing efforts on three main business components: people, processes and technology.
People: The people within an organisation are the ones who are closest to the data and understand it best. Therefore the first action should always be to work with the relevant stakeholders to properly identify and classify data, assess how it is being used and better understand the most appropriate course to take with it.
Processes: Once data protected under the GDPR has been identified, clear processes must be put in place for employees to follow. This will ensure compliance is achieved and maintained.
Technology: The right technology will help businesses meet the requirements of GDPR both now and in the future. The GDPR also specifically states that data security should become built in to technology projects and initiatives.
Applying this approach in the context of GDPR
Taking a consistent ‘people, processes, technology’ approach to GDPR can help HR leaders understand exactly what needs to be done and how to go about doing it. Below is an example of how this might look when applied to a key aspect of the GDPR.
Perhaps the biggest challenge here is around changing attitudes towards data consent and ownership within organisations, which some will find harder than others.
Chapter 3: ‘Rights of the data subject’
GDPR includes an extensive collection of rights that EU citizens residing in the EU will be entitled to, as a way to protect their personal data. This is leading to a pendulum swing back to where the EU citizen is the data owner until they give consent for their data to be used, not vice-versa. Companies need to adapt and learn how to operate in this new environment.
People: Perhaps the biggest challenge here is around changing attitudes towards data consent and ownership within organisations, which some will find harder than others. Businesses accustomed to reinventing themselves tend to accept change far more easily than those with an entrenched way of doing things. Education will play a key role in shifting internal behaviour towards personal data over time.
Changes to data usage consent are also a key element. GDPR requires companies to specifically state how personal data is being used and give citizens a choice on whether they are happy for their data to be used in that way or not. As a result, the people within the business need to change how they approach consent. Consent tools must become far more user friendly and easy to locate, not secretive and hidden like many of them are today.
To ensure compliance is met, a technology backstop is needed to support people and enforce processes.
Processes: GDPR expects HR departments to put processes in place that allow EU citizens to request their personal data, have it amended or even deleted. These requests must be handled “without undue delay”, which means HR will need to know exactly where the data resides and how it is stored
There needs to be stringent governance of this process to ensure the right data is being given to the right person. In most instances, this will take the form of a series of authorisation stages, overseen by the business’s Data Protection Officer (DPO).
Under the GDPR, appointing a DPO is mandatory for public authorities, as well as organisations that monitor data subjects on a large scale, or process sensitive personal data on a large scale.
The DPO will be the focal point of all data protection and compliance activity, and is accountable to both the board and customers.
Technology: To ensure compliance is met, a technology backstop is needed to support people and enforce processes. A comprehensive, enterprise-wide data discovery solution should be used to locate any data potentially subject to GDPR. This must include data residing on laptops, servers, databases, files shares, or in the cloud.
Once found, data classification by context, content and user will allow businesses to track and control the movement of GDPR-relevant data. It’s extremely important that all data discovery and control activity be ongoing, in order to ensure that any changes to the data over time are identified and accounted for in compliance activities.
Expanding the approach across GDPR challenges
GDPR is a welcome, possibly overdue, addition to EU law that will greatly improve personal data protection and privacy for all EU citizens. While achieving compliance might feel like an uphill battle, the key lies in breaking the legislation’s core components down into manageable sections and applying a consistent approach to each area. With this approach, compliance can still be achieved by the looming deadline.