Few people can give a precise answer to the question, and, even when they do, you will likely hear terms like DPO (Data Protection Officer), DPIA (Data Privacy Impact Analysis), hardware or applications being bandied around. Here at Realdolmen, we believe in a clear number of pragmatic steps to help you, as an organization, approach the "GDPR exercise" in a structured way, without sending off on a wild goose chase, and without adding extra, and often pointless, costs for hardware and software solutions that will later just inflate your OPEX budget, since you also need to learn to manage all these new components.
We explain our four-step process below.
Step 1: Is my company covered by the GDPR?
The answer is almost certainly YES. The real question is: do all the defined criteria apply to my organization? This provides a much more nuanced answer.
Obviously all personal data need to be treated with respect and in keeping with established rules. But certain measures, such has appointing a DPO, are only required in specific situations. We actually strongly advise that organizations not do this if they are not required to do so (the conditions when it is required can be found in the regulation itself). This is because it just creates the impression that you are working on a "large" scale with personal data, which leads to more questions, more anticipated measures, etc.
Researching what exactly is needed within your company is key in step 1, and, in turn, leads to a number of following steps. We call this "drawing up a data privacy company profile". What is important here is that you do not forget your own employees when doing the research. How many people are you looking at? How often do I make an update or consult a file? What do we keep, what is necessary and what is relevant? These are just a few examples of the questions you need to ask yourself.
Step 2: Data Mapping
Where is your data currently stored? This will be one of the foundation stones of the future GDPR: where is my data, how do I keep it up-to-date and where do I need to delete it under the "right to be forgotten"?
Does this mean that you as an organization need to start using a Data Warehouse? Are you about to roll out a BI or Data Insights implementation plan? Projects like this can often take several months (6+), or even several years. If you are only starting now, then you will have a problem on 5/25/2018. Although the choice is yours, if you have not yet allocated a budget for this undertaking, then you would do better to choose a more pragmatic approach.
Drawing up an inventory of all your data objects gives you an insight into your environment. That does not mean to say that everything is structured or that everything runs automatically. But it does give you, as an organization, the chance to react to questions instantly.
An additional advantage is that you can take this information and define a risk profile. If you don't know where your data is, how can you define your risk if you lose it or if the data is incorrect? There are a variety of options for defining this kind of risk profile, ranging from complex SAP or other implementations through to SAS, Informatica or other tools that give you a good view of your assets with minimal effort. (See below for more about SAS and Informatica).
Step 3: End Points
Because many organizations forget the end points, we want to draw your attention to them right here. It is easy to invest loads of money in security and policies, but what do you do if an employee takes a database extract home as a .xls file on a USB stick in order to continue working on it, and loses the stick when rummaging for his car keys after a quick Friday evening drink with a colleague?
The most urgent questions asked at that time by the DPA (Data Protection Authority) will be: What information did you lose? About whom or how many people? What actions can we (as an organization) take to limit the damage (read: remote wipe, encryption, etc.)?
If you do not have a robust Mobile Device Management policy, it is very difficult to deal with a situation like this. Of course BYOD, flexible working and mobile phones are now features that are here to stay at the workplace. Unless the necessary care and attention are given to these, all other corporate efforts relating to security and policies are a waste of time. Remember: a chain is only as strong as its weakest link.
Step 4: Consent
Within GDPR this is no longer included and/or part of general conditions. No, be explicit! And specific: for a clearly described goal and a limited period. Only as much as you need. But how are you to do this?
Better to look sooner than later at (existing or new) tooling in order to keep consent "manageable". Don't forget that within the GDPR the burden of proof lies with the organization and that it can be demanded at any time by the data subject. Lists in Excel or SharePoint can work if you manage just a limited number of consents. But a list like this, even with a limited number of data subjects, will quickly grow out of control. This is sure to be the case if you request consent from those involved for several different things.
For each individual data field requested from the "data subject" you need to know, at any given moment, why you have asked for a particular piece of information, how long their consent is valid for, and whether the consent has been revoked. Let alone know the way in which the consent is provided. The GDPR, for example, allows verbal consent, but that means that you must have a recording of the agreement stored as proof and need to link this to the data fields.
As an organization you have 2 options. Continue with manual management until a commercial solution comes along to manage consent. This solution is bound to come along and is already in the works right now. But its price-tag, as well as how well it meets your needs, are complete unknowns. Once again, there are a number of pragmatic solutions worth considering. For example, I would like to go back to the second option, the solutions referred to above such as Informatica and SAS. Neither specifically includes a separate function for content management, but with a bit of creativity, they can indeed be configured in such a way that you have a professional solution that is sure to cover your needs in this area.
You can see that there is more to GDPR than just appointing a DPO, and that 5/25/2018 is a lot closer than we all think. By taking a pragmatic approach you still have enough time to prepare your company for the regulation as well as the sanctions.
But for all of the above, our most important message to you is: ACT NOW
Gert Maton, Senior Consultant
If you would like to find out more about GDPR or you want us to help you prepare your company for May 2018, contact me on Gert.Maton@realdolmen.com.