The GDPR (General Data Protection Regulation) or “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC” has entered into force and applies as from 25 May 2018.
The GDPR is very different from its predecessor and concerns all organizations processing personal data of data subjects, regardless of where processing happens. Everything you need to know about the GDPR and GDPR compliance.
On May 25th, 2018, the EU’s General Data Protection Regulation (GDPR) takes effect. The new regulation, technically known as EU 2016/679, replaces the Data Protection Directive, which already goes back to 1995.
Even if since then there have been additional rules on specific aspects of personal data usage and privacy, the GDPR is a major change with a vast set of rules and vast consequences in many areas. To become GDPR compliant, various steps need to be taken and mechanisms need to be put in place.
In this guide to the GDPR, which also serves as a multi-disciplinary GDPR resources hub, you find information and links regarding the General Data Protection Regulation, its impact and the steps to take in order to be GDPR compliant in time.
This is crucial for organizations inside and outside the EU, unless they don’t process (which is a broadly defined term) personal data of EU citizens in one or the other way.
Overview of the topics in this GDPR hub
We’ve split up this rather long overview (as the GDPR has so many aspects), into different sections.
This enables you to jump to a section that applies to you, rather than having to read it all.
Table of Contents
- The why of this GDPR guide
- Key GDPR terms, rights and stipulations
- The processing of personal data: the broad definition of processing
- The data subject and personal data
- The expanded territorial scope of the GDPR
- Consent, consent and consent
- Breach notification duty
- The Data Protection Officer
- The right to access
- The right to be forgotten or data erasure
- Data portability
- Other key elements and/or changes in the GDPR
- GDPR compliance strategies and GDPR checklists
- The GDPR and enterprise information and content management
- The GDPR and cybersecurity
- How the GDPR can benefit your organization: trust
- Better security and information management lead to higher digital transformation success probability
- Holistic (customer) optimization benefits of the GDPR
- Challenges and issues regarding the GDPR
- A list of GDPR resources and guides
- More articles on the GDPR and GDPR compliance
- What is the General Data Protection Regulation? GDPR overview.
- GDPR compliance: a strategic business and information management view
- GDPR awareness and GDPR staff awareness
- GDPR compliance failure starts with wrong perceptions
- GDPR and personal data protection: everything about data subjects, personal data, sensitive data, personal data identifiers and more
The why of this GDPR guide
We kick off with the ‘why’ of this guide. The General Data Protection Regulation or GDPR stretches much further than its predecessors and, as mentioned, also affects organizations from outside the EU.
The GDPR affects many organizations, functions and processes
There are ample reasons why you don’t just need to be aware about it but also must set a course of action to be ready and adhere to the GDPR data protection rules with possibly the appointment of a Data Protection Officer.
Do not make the mistake of thinking that GDPR compliance is easy or that it is only about security or technical measures.
The GDPR affects organizations in many ways, beyond data security and policies. Moreover, you need help or at the very least a clear plan of action, including training, revisiting your data flows and processing mechanisms, privacy practices, the way you leverage third-party data and far more.
If you use or plan to use specific technologies, such as the IoT , you will also need to look at additional aspects, including the technologies themselves, which in practice seems to be a challenge as covered in our article on the IoT, GDPR and regulation.
The GDPR also foresees clear roles regarding roles and responsibilities within organizations to be able to respond to the requests of EU citizens or controlling instances.
The GDPR is not just about fines: it’s about growth and a thriving digital economy
One reason that is often mentioned as a critical one to make sure your organization is GDPR compliant concerns the high fines in case of serious breaches (for which there is a reporting duty with specific rules and in specific conditions) and other issues regarding personal data: up to 4 percent of annual turnover or €20 Million, whereby the highest of both is applied, as established in Article 83 of Chapter 8 of the GDPR text.
Yet, fines are not the purpose of the General Data Protection Regulation.
The GDPR is conceived as a framework for the digital transformation economy where data is a business asset, the new currency, the oil and innovation accelerator; and personal data is leveraged throughout connected ecosystems to achieve benefits thanks to a broader view of individuals in order to achieve better results across various disciplines.
In this economical, digital and societal context there are clear benefits for all organizations, yet there are also rules which need to be respected on the level of the individual without which a growing digital market is hindered by multiple challenges as we’ll see. In other words: as much as the GDPR might seem like a pain to many, it also is needed to make a digital and data-driven world easier and clearer. This offers benefits to organizations as well for several reasons we’ll tackle.
GDPR compliance is not a choice – where the action comes in
There are ample resources on the General Data Protection Regulation or GDPR on the Web. In this guide we’ve gathered several ones for your convenience across various “chapters”.
They are split into several sections, just like this guide. As the GDPR touches upon many aspects of your organization, across functions and divisions, this seemed like the best way to proceed in order to gain a holistic GDPR and GDPR compliance perspective.
Looking at the state of GDPR readiness as of end February 2017, little over a year before the GDPR becomes enforceable, we found there was a clear gap. And 10 months later, in December 2017, there was still a major GDPR compliance disconnect.
Data from several organizations and companies regarding GDPR awareness and preparedness in the UK, the US and, most certainly, the EU, showed there was still a lot to be done. Moreover, we constantly hear from information management experts or security professionals how unready many organizations de facto are. Not acting is not an option, hence this page.
Key GDPR terms, rights and stipulations
To become GDPR compliant you don’t just need some tools. You need a thorough analysis, plan, detailed checklist and so forth, covering all aspects and processes involved. The first stage in any such strategy, checklist or compliance plan is awareness.
Although this is more about awareness and know-how of all stakeholders in the organization (including training your staff), we also need to understand some key terms, concepts, rights and duties in the GDPR. You probably have already most of this and there are far more exhaustive and detailed guides which you can see in the list below this overview.
The processing of personal data: the broad definition of processing
The GDPR is about the processing of personal data of EU citizens, called ‘data subjects’ in the regulation.
Processing covers a vast reality of actions and includes storage, dissemination, changes and management of personal data. Personal data also covers a broad reality of criteria, definitions, exceptions, personal data identifiers, pseudonymized data and more as we’ll see. Moreover, and this tends to be overlooked, it goes for the processing of personal data, whether the processing occurs with automated means or not. In other words: manually dealling with personal data (carriers) is included too.
In the second part of article 4 the GDPR defines processing as follows:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
If you start thinking about who processes data of individuals, you start seeing the tip of the iceberg. The definition of processing is crystal clear and that indicates how the GDPR involves ALL activities regarding personal data. This also includes capturing, scanning and processing the personal data which hard copy documents contain and even the simple fact of “having” personal data (or we wouldn’t store or process them) or “having access to them”.
The data subject and personal data
The GDPR’s definition of personal data leaves little room for interpretation too. In article 4, the text states:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural
The definition is clear: if you deal with personal data of a data subject, the general rule is that the GDPR applies. However, there is a lot hiding under this seemingly simple definition as we’ll see.
On the other hand, there are several exceptions regarding personal data in areas such as public health and scientific research, so it’s important to understand the impact of the GDPR for your industry. This is again an argument to prepare in time and understand how it impacts your individual organization and activities.
The GDPR does not cover anonymous data. However, it does cover so-called pseudonymized personal data because the pseudonymization, an often used ‘tactic’ in, among others security and analytics, can be reversed and, as opposed to anonymous data can be traced back to an identifiable natural person, the data subject. However, pseudonymization, along with encryption, is one of the methods the GDPR recommends as “an appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
Research indicates that quite some companies de facto use techniques to de-identify data as a way of reducing risk exposure.
Note that, in general, the more data are combined, the harder de-identification becomes and the higher the risks become. If special categories of data (“sensitive data”) are involved, additional risks and measures are the consequence.
In the GDPR the definition of personal data has been broadened (important for both consent and protection).
It includes identifiers such as genetic data and all data pertaining to a data subject’s health status. Also data for scientific research are included but only to a certain extent.
Genetic data include results from DNA analysis, health status data include data on treatments, medical history, diseases and far more – as the graphic below shows. Identifiers are data elements that could make a natural person identifiable and there are plenty of those. Some are more general, others are ‘sensitive’. It’s important to understand all these identifiers and how a natural person can become a data subject (the various ways in which he/she becomes identifiable). To give you an idea: one of the types of identifiers in the graphic below, namely online identifiers, consists of numerous sorts and forms, from an IP address and cookie to an RFID tag.
We recommend you to learn all about personal data, data subjects, identification, identifiers, pseudonymization and so on via the button below.Data subject, personal data, identifiers and pseudonymous information
The expanded territorial scope of the GDPR
A major change of the GDPR, compared with the existing Directive, is its so-called extra-territorial applicability, the technical term for the mentioned fact that the GDPR doesn’t just affect EU companies.
The GDPR concerns all companies which process personal data of citizens (‘data subjects’) who reside in the EU, regardless of where these companies (the ‘data processors’ and ‘data controllers’) are located.
When the processing of personal data of EU data subjects is done by a controller or processor that is not present in the EU, the GDPR applies in activities related to offering goods or services to EU citizens (free and paying services) and behavior monitoring of EU data subjects.
Moreover, a non-EU company which processes the data of EU citizens needs to appoint a representative in the EU.
Consent, consent and consent
There needs to be a clear consent to process personal data (with some exceptions).
Moreover, there are limits on the use of automated processing of data to make decisions, for example in the case of profiling (among others essential for data-driven marketing and the usage of data in customer service).
Consent regarding the processing of personal data also needs to be crystal clear and in plain language.
In practice this means gone with the legalese and easily distinguishable and accessible ways of describing for what consent is given and how it is given by the data subject.
That same level of easy must apply to the withdrawal of consent. Moreover, personal data can’t be shared with other parties, without consent.
Breach notification duty
The GDPR has clear rules on when and how to report data/security breaches that pose a risk to data subjects.
In case of a data breach whereby personal data are involved and in the case this breach can lead to a risk for the rights and freedoms of the – concerned – individuals, a breach notification is mandatory within 72 hours of having become aware of the breach.
The Data Protection Officer
Data controllers and processors need to appoint a Data Protection Officer in certain conditions.
This is a pretty specific matter so we decided to dedicate a separate page to the circumstances in which you need a Data Protection Officer or DPO and what are his/her responsbibilities, duties, skills and so forth.The Data Protection Officer
The right to access
The right to access is also a right of information, transparency and also of (withdrawal) of consent.
Data subjects can ask the data controller whether personal data concerning them are processed or not, why, where and how this is done, and get an electronic copy.
The right to be forgotten or data erasure
Data subjects can ask data controllers to erase their personal data.
Moreover, if a clear consents exists to disseminate the data and/or third parties process the data, this consent can be withdrawn. However, there are conditions that apply.
This is a new concept that comes with the GDPR.
Data subjects have a right to receive personal data about them (as mentioned) but on top of that also have a right to transmit it to another data controller.
We already mentioned other key aspects such as the higher fines (penalties) and the adoption of the privacy by design principle.
Other key elements and/or changes in the GDPR
The list above is far from exhaustive. In the resources, infographics and other material in this article you find plenty more changes and elements.
These, among others, include:
- Privacy by design and data protection by default are two key principles which have an impact on many areas as we’ll see. As an example, privacy by design plays on the level of records management.
- The special protection of personal data of children under the age of 16 (whereby parental consent is required).
- The so-called one-stop shop which means that international organizations de facto have to work with one supervisory data protection authority.
- Flexibility regarding specific articles. As opposed to popular belief, there are several areas where national regulators can interpret and/or elaborate on stipulations in the GDPR. This is among others the case in the context of sensitive data.
- International data transfer principles are part of the GDPR.
- Organizations need be able to demonstrate that adequate technical and organizational measures have been taken. Certifications such as ISO 27001 can help in demonstrating this.
- Lawful processing: as said, clear consent is needed; however there are more elements that matter in the broader context of lawful processing.
- Specific measures to decrease risk, with encryption being the main one, are ‘promoted’ by the GDPR. As said, also rendering data pseudonymous is a way to decrease risk.
GDPR compliance strategies and GDPR checklists
Optimization, (restoring) trust, a more holistic approach and turning security and information better into the enablers of digital transformation are just a few benefits that smart organizations can achieve with frameworks such as the GDPR (you’ll find more below).
On the other hand, there is the hard work that is needed in order to become GDPR compliant. As said, strategic approaches, looking at all aspects of the business, are key.
Various organizations, often in a collaboration with others which have subject matter expertise in one or more specifc areas of the practical implications of the GDPR have come up with such strategic approaches. As a matter of fact, this is also part of the whole GDPR reality. The GDPR foresees Data Protection Impact Assessments.
They all, more or less, have the same steps in common, and are part of any GDPR compliance checklist or data protection and risk detection checklist you will find, such as the one below.
Step 1: GDPR awareness
Obviously organizations need to be aware of the GDPR and its implications. That’s part of what we do in this overview and, as mentioned, there are quite some organizations that lack awareness and/or won’t be ready.
However, in the strategic approach to GDPR compliance, awareness means something else (too): your staff, management, IT team, security people, information managers and so forth also need to be aware of what the GDPR in practice means for them. This is typically done in workshops and trainings to move from being aware to acting aware, from understanding to acting accordingly.
Note that it’s important to have people that are responsible for creating this awareness and that education will be a recurring theme as new people join the company. The GDPR also foresees several roles.
The GDPR also shouldn’t be seen as a single big effort to be ‘ready’ by May 25th, 2018 of course. Data protection, in the scope of the GDPR and beyond, requires an ongoing effort, evaluation, monitoring and controlling. Moreover, it’s not as if tomorrow you won’t be leveraging new technologies with, again, new questions.
Finally, awareness also means fully understanding the GDPR and its impact, otherwise it’s hard to see where the gaps are between where you stand now and where you need to be of course.GDPR awareness
Step 2: GDPR assessment/audit: discovery and gap analysis
These gaps bring us to a second part in all strategic approaches: there is a stage of assessment/audit with discovery and gap analysis. In order to get somewhere you need to know where you stand today, it’s a universal given.
And to assess where you stand today – and thus also look at the gaps – this stage is one of discovery and mapping pretty much anything that is relevant in the scope of the GDPR.
So, you need to gain insights in your current practices on various levels such as audit capabilities/methods, where data sits (data discovery), which processes are involved, how you process data, how your privacy and security practices function, who is responsible and accountable today, what kinds of systems, networks and databases come into the equation and so on.
In practice, assessment/audit and awareness, as you can imagine overlap somewhat. Seeing what you do can lead to awareness regarding aspects you might have overlooked and vice versa.
In practice, an assessment and discovery stage also needs to lead to an analysis of the gaps. As said, this obviously also means that you already know the GDPR and its full impact as a sort of benchmark that guides you in assessing in a prioritized way with the gaps in mind.
An audit further includes a gathering and analysis of all current document policies in the organization as they exist now: from security and business continuity policies to acceptable use and privacy policies.
Some additional GDPR audit tips:
- Audit to map risk. It is adviced to take all elements of risk and classify them from a prioritization perspective. When conducting a risk assessment, don’t (just) think about your organization’s risks. The GDPR wants you to look at the risks for individuals’ rights and privacy.
- Assess all frameworks, organizational aspects, strategies and security/data/incident/reporting management practices.
- Focus on people: it’s not just about the risks in current practices, processes, systems and frameworks, it’s also about organizational culture towards personal data protection and skillsets.
- Get the documents. Make sure you have access to all other data and documents which contain information on your latest security assessments and incidents and so on.
- Listen. As we all know there is often a world of difference between documented policies and real-life practice. This inevitably means that you need to talk with people about how they work in practice, regardless of any documents and policies.
Step 3: Planning/strategy – preparing the GDPR actions to be taken
Once you know where the gaps are it’s time to get really strategic and planning what needs to be done to close the gaps and taking all the other measures which you’ve identified.
The goal of a plan is to execute it and requires a full picture of the gaps, various involved areas and roles and responsibilities.
As the GDPR touches upon so many areas you will essentially need to plan in an integrated and holistic way too. Planning and, next, acting in a holistic way is one of those benefits you can achieve as you go to a GDPR compliance exercise. After all, digital transformation, security, information management, marketing, customer service and so forth need a holistic view to succeed as well. And we do still live in a reality with many silos.
In practice, you’ll plan across several functional and practical areas, however. These include:
- Information management and governance
- Security (and ICT as security needs to be guaranteed everywhere)
- Human resources
- Marketing, management of online presences and advertising (note that the GDPR will be complemented by a new EU ePrivacy Regulation).
- Customer service and contact center
You will also have to look at the ecosystem of your business, with among others third-party data partners and business process outsources (BPOs) and thus at SLAs too (vendor management).
In the planning stage (and also in the audit stage) you’ll have to look at, among others:
- The practical aspects of moving to a ‘privacy by design’ organization.
- “New” information governance plans.
- Implementation plans regarding information management, security and privacy initiatives.
- Plans regarding access policies, role management and the security controls which need to be put in place.
- Plans to solve the potential vulnerabilities you detected in the assessment/audit stage.
- Policy plans for the mobile workforce and action plans to tackle shadow IT.
- Plans regarding audits and roles and responsibilities (e.g. the Data Protection Officer).
- Plans regarding the roll-out of technologies that help improve security and privacy.
- The plans regarding information audits, data retention, Master Data Management (MDM), device management (mobile phones of workers,…), etc…
- Very specific plans in the many very specific aspects of security and technology: GDPR and cloud, GDPR and IoT, the list goes on.
Step 4: Taking action: doing what you’ve planned
Have a plan? Time to get practical, roll it out and deploy across all the areas you’ve identified and planned for.
As promised below we dive a bit deeper into two areas with links to additional resources which tackle various implications and actions to take in these areas.
However, as mentioned the various components need to be seen in a holistic way. As said earlier, many see the GDPR as an accelerator of the integration of security, privacy, information governance, compliance and more. And that is indeed a benefit.
Step 5: Managing/evaluating and improving/adapting
Once the plans are rolled out, the work is not done. In fact, if we forget the GDPR as such and look at the integrated approach regarding security, privacy, information governance etc., you’ll notice that we’re actually looking at a cycle.
So, on top of managing what we’ve done, evaluating our efforts with clear KPIs there will always be a need to improve and adapt.
There are several reasons for this:
- New employees will enter the organization.
- New technologies will be deployed and touch upon personal data: whether it’s the cloud, Big Data or the Internet of Things, you’ll need to evolve.
- Continuous improvement and adaptation is simply a given, certainly in a changing digital ecosystem and a changing legal and geopolitical context.
The GDPR and enterprise information and content management
Information systems, data quality monitoring, information governance processes, business processes and so forth need to be conceived or redesigned with the privacy by design requirements and, among others, the aspects of consent and control of the GDPR in mind.
Governance is one of the many aspects of the information management and data management puzzle. Compliance, nowadays the main driver of the cybersecurity evolutions, means information governance and information management.
But of course there are more information management aspects to the GDPR. As mentioned all fields are converging and, in fact, with several topics we’ve mentioned in the cybersecurity part, we are already in governance and information/data management.
GDPR from the information management perspective
Let’s also dive deeper into a benefit again here. We still live in a reality with siloed information sources and data-intensive processes, while integration is key to succeed in digital transformation from an information management perspective.
Moreover, many organizations have challenges to cope with the increase of unstructured data and how to make sense of it. Finally, in many business functions, you need a way to combine various formats and sources of data. Think about contact centers, for instance. Or insurance claims processes. While data lakes offered one solution in this regard, there are specific approaches for these various circumstances. For the contact center there are AI-enabled platforms that can deal with multichannel communications, for insurance claims processing there are case management solutions and so on. All these, by definition integrated, approaches, connecting information and communication silos and leveraging various forms of data, help you improve customer service, response times and simply business.
See the GDPR as a way to move in these better, integrated directions in case you haven’t yet. And then we haven’t even touched upon the benefits of revisiting your retention policies yet or the benefits of making sure that you have methods to make data easily searchable which doesn’t just make lives of your knowledge workers easier but isn’t a bad idea if an individual wants to gain access to his personal data.
Some elements from an information management perspective
- Mapping and classifying data. Many organizations don’t have clear visibility into the types of data (personal and others) they process. Moreover, insufficient classification makes it hard to implement the necessary policies. Where does all the concerned data sit across the organization and what is needed to have a single view and a fast and efficient way in case of compliance controls and potential questions?
- Mapping personal data and data flows. While knowing where data and, in the context of the GDPR, personal data sits is important overall, we obviously want to look at the various types of personal data. Some of that data is more sensitive. For example: it’s clear that financial data which can be abused when stolen with major consequences, is a bit more sensitive than some essential data for easy tasks. All personal data is created equal but some is more equal than others, to use George Orwell. Finally, also map the data flows whereby personal data is processed and document the various aspects of these flows: what, why, for whom (access!!!) and how long. With the GDPR people can ask which personal data are processed, where and how so documenting is crucial.
- The ‘how long’ brings us to data retention and erasure. Personal data sits everywhere. A traditional big challenges revolves around all the unstructured data/information/communications organizations have been hoarding across various repositories. That hoarding comes with many disadvantages as such but in the GDPR context it’s key to look at retention and also erasure (remember elements such as the right to be forgotten, portability and the right of access). What (personal) data do you actively use today, what data do you have and don’t use but could/should use to improve your business and what is ROT (redundant, outdated, trivial information) and can go, thus further decreasing risks?
Move towards a holistic information governance approach, deal with fragmented data and increase visibility.
GDPR and information management technologies and strategies
On the solutions level of GDPR and information management we, among others, note consent management platforms, records management solutions, security solutions and artificial intelligence to name a few.
The latter is particularly interesting from an automatic classification perspective and to simply know where Personally Identifiable Information sits at all times. It’s one of the most powerful ways to be close to GDPR compliance demands although security strategies and information management strategies need to be revised.
As is mentioned in our article on GDPR as a business strategy and information management challenge, the GDPR’s privacy by design means that you de facto move from an ‘open unless’ to a ‘closed unless’ enterprise information management and enterprise content management approach.
Simply said: instead of having a security model on the level of information management (or having none at all) whereby in principle everything is open for the teams unless decided otherwise for specific folders or resources, you do the opposite: what needs to be closed from the GDPR’s perspective, what can be open and how do we make sure what is open and where it sits.
There is more (much more) and the list with resources on the GDPR and information management (and more) below can hopefully serve you.
The GDPR and cybersecurity
It is inevitable but also beneficial and about time: there are no more excuses to NOT increase cybersecurity maturity and go beyond outdated security approaches.
As said earlier, security cannot be an afterthought in an age where data is oil, personal data is whatever is worth far more than oil and digital transformation simply requires better security.
Without diving too deep in the details (for now) this means, among others:
- Embrace security by design, just as the GDPR requires privacy by design. Security by design means security as an omnipresent given, from the very start of products (imagine how many consumer IoT manufacturers would need to change), processes and people’s activities.
- Have a proactive and embedded security approach, including all aspects in the ubiquitous security perimeter reality (the perimeter is not gone, it is everywhere) in which all aspects matter (the edge, the network, cloud, the IT systems, data storage, databases, applications, you name it).
- Take a holistic approach to cybersecurity, starting from awareness and employee education (part of your mobile perimeter at the edge) and going all the way through your systems, processes and close to where (personal) data is generated and processed.
- Very possibly you will need to redesign your overall cybersecurity infrastructure with a focus on the just mentioned characteristics and in the GDPR context obviously on data flows and any process and risk factor where privacy and personal data can be involved (with breaches being a crucial, yet just one of several, dimensions).
- Go for real-time security possibilities, among others regarding the enforcement of security policies in areas such as device management, access (to data), the activities of users and so forth. Encryption of personal data also is emphasized by the GDPR.
- You need a unified view on what happens with data, data processes, Big Data environments (e.g. data lakes), regardless of form and structure, and single visibility for the Chief (Information) Security Officer, IT manager or whomever needs it across all operations, workloads and the IT infrastructure as such.
- Conduct regular testing. On top of a proactive cybersecurity approach with predictive capabilities that won’t be possible for everyone, pro-activeness also means regular and where possible continuous testing. From ethical hackers to penetration testing and beyond. Do penetration testing, among others on the level of your web applications and web services, deploy a vulnerability scanner on individual devices and the full organization, go for vulnerability management and an integrated approach.
- Look at mechanisms and solutions to prevent identity fraud (there are specific solutions in some countries, for instance to make sure that stolen identity cards or driver licenses can’t be abused).
- Conduct social engineering testing. Phishing is still an important way of obtaining personal data. Workers need to be trained on these tactics, social engineering and security overall. Also test how susceptible employees are to social engineering, using one of many phishing simulators.
Last but not least: bad things happen and we shouldn’t forget the breach notification duty of course.
In practice, this means you need to set up the necessary monitoring, auditing and alerting mechanisms, to do so. This is also a cross-functional task and there are solutions for legal to deal with it. You need incident management processes and a clear view of who needs to do what and where in case of a breach. Testing if they work well is not a luxury.
Below is a list with resources on the GDPR and cybersecurity.
How the GDPR can benefit your organization: trust
On top of being the mentioned framework which is needed for growth in a digital economy which transgresses the borders of individual nations, there are several other ways how and reasons the General Data Protection Regulation benefits your organization if you do your GDPR compliance homework properly.
Some of these benefits have to do with optimization opportunities, others are societal and have reached a boiling point throughout 2016 and early 2017. We start with trust.
If data is the new oil, trust is the new oil well
We have reached a point in history where the technological possibilities and innovative capabilities, leveraging these new technologies, are about to explode.
The things we can do, as organizations, governments, individuals, marketers, manufacturers and so forth thanks to technologies in the space of Big Data, analytics, cloud, the Internet of Things, cognitive/AI, social and mobile, to name a few, already seem huge today.
The truth, however, is that we haven’t seen a thing yet. Despite getting major attention, the Internet of Things, for instance, is still in its early days. The volumes and variety of data which we started to call Big Data, are just some small droplets in the ocean of data that will soon be generated in science alone. Despite looking at this grandiose digital universe of data which we believe we see today and which is the common denominator in all the mentioned technologies and the many others we didn’t mention, we indeed haven’t seen a thing yet.
The many smart people who are working in several of the mentioned fields today know that and, as far as the digital transformation of industries and many aspects of our lives are concerned, they know the potential. For some it is reason for great optimism, for others it’s scary and for those who care it’s a mix of both.
Yet, for all that new oil, there is a big challenge that is happening right now right here and that needs to be addressed: trust.
It’s not just the new oil well but if it gets broken, anything we do in a digital society with that new oil, called data, is failed to doom. Without trust and transparency regarding what we are doing, there will be an inevitable backlash and to continue the oil well image, we might see some oil fields on fire.
With apologies for the doom scenario: the benefits of digital innovations and of data, put at work, are tremendous but we must keep people and trust in mind, because it matters and because the human emotion and ability to stop evolutions or rapidly adopt an entirely shifted mindset beats all data, technological transformation/innovation and predictions, no matter how big the data.
The state of trust in the digital age
There all ample signs of a backlash against the way we use data today and, in a broader perspective, of distrust regarding the parties that gather and process data and the digital evolutions as such.
We’ve mentioned it several times before, among others in a context of the importance to restore trust by leveraging trustworthy content (marketing) for trustworthy and transparent communications: the Edelman 2017 Trust Barometer, which shows a declining level of trust in all areas.
Other research indicates that even younger generations are increasingly vigilant regarding the ways their data is used and consumers are on the verge of potentially disrupting the state of privacy.
The GDPR, as a framework, offers a possibility to restore trust in the digital economy and, at least as important, enables organizations to improve their current data and security practices, which is crucial anyway in these times of hyper-connectivity where data as said has become more than just a crucial business asset and smooth and transparent processes lead to a perception of trust, efficiency and good business practices. Obviously, improving current practices and processes with security, transparency, efficiency and people in mind, is also good for the bottom line and the effectiveness of the organization (in a digital economy) as such.
Better security and information management lead to higher digital transformation success probability
Research has clearly indicated that involving security from the very start in any digital business transformation project with a role for (new) technologies, leads to more and faster success.
Moreover, security by design, is simply beneficial (and a must) and security is a digital transformation enabler and accelerator. No matter the stage in which your digital transformation is or the aspects you transform (business processes, customer-centricity, the development of new capabilities, tapping into new business models and so forth), things have to run smoothly and in a reliable way, guaranteeing not just business continuity but also protecting those assets that drive the digital economy: data and people.
Moreover, just imagine how better security practices, by design, along with better privacy practices, as the GDPR requires by design as well, would advance various markets where the Internet of Things clearly has transformational potential and leads to tangible outcomes, today mainly in an industrial Internet of Things context. The same applies to other, related sets of technologies and, most importantly, how they are leveraged to reinvent business models or optimize existing processes, customer-facing operations and so forth.
On an information management level, which is also key for GDPR and is closely related with security from the data and governance perspective (among others), the various audits, plans and deployments regarding enhancements for the GDPR, de facto include data discovery, integration of silos, a need to look at what data you “have” and where it resides, smoother reporting and search possibilities, improved data mapping, retention policies and so much more.
We’ve reported on this several times so see the GDPR as a way to do better here too.
Holistic (customer) optimization benefits of the GDPR
When you do a, by definition holistic, strategic exercise regarding all aspects of how you deal with personal data and thus also customer data, with the interest of the latter in mind you are forced to 1) identify the data (and in the process find unstructured data you haven’t leveraged and/or gain better insights) and 2) revisit the ways you process data.
If you take this exercise seriously with relevance, consent, privacy and the mentioned holistic approach in mind, it’s almost inevitable that you also detect numerous opportunities to optimize several customer-facing activities. Maybe your contact center will finally dispose of all the data required to better serve and service customers, maybe you’ll improve marketing efficiency as your staff will learn not to think about a name and email address on a list as nothing more that that.
We can go on for a while.
Challenges and issues regarding the GDPR
Probably we’ve tackled enough challenges already and in the lists with resources you’ll find plenty more. However, there are challenges, concerns and issues that need to be looked at.
It won’t come as a surprise that there are frequent calls from all kinds of industry organizations to clarify not just the sometimes somewhat vague terms in the GDPR (such as “disproportionate effort”) but also to look closer at some practical issues that arise.
We’re not naive and it’s clear that, while the GDPR offers benefits, it also comes with loads of uncertainties, practical challenges and for some industries more than for others with serious inconveniences to say the least.
Several industry associations look at these issues as they learn them from their members and experts and also lobby for flexibility or de facto changes.
While we can’t cover all challenges, issues and initiatives it’s good to look at the issues as they are raised a bit everywhere and see whether they apply to you as well. By way of an example we covered four GDPR issues as they were raised in March 2017 by a few marketing/advertising associations. Some can be of help for your business too.GDPR concerns in marketing – and beyond
A list of GDPR resources and guides
For more (much more) explanations of all the legal and regulatory components of the GDPR and the used terminology, as well as the full text, check out the list with resources below.
Disclaimer: some resources might point to stipulations that have been amended. This guide is a source of information and can contain outdated information. Feel free to tell us.
More articles on the GDPR and GDPR compliance
GDPR fines, GDPR staff awareness, GDPR compliance, controllers and data subjects. Are you lost? Then also check out the following resources on the GDPR.
What is the General Data Protection Regulation? GDPR overview.
In this article we answer often asked questions about the GDPR in an easy and understandable way.
Among the tackled questions are the meaning and definition of GDPR, why the GDPR has been put in place, where you can find the final GDPR text, what the differences are between the General Data Protection Regulation and its predecessor, the Data Protection Directive, what it means to be GDPR compliant, what consent means, what is sensitive data, what a GDPR checklist is, where to start when you’re not GDPR compliant in time and what the GDPR fines are in more detail.
GDPR compliance: a strategic business and information management view
This article in fact combines two important aspects with regards to the GDPR, which we have briefly tackled before.
- On one hand it looks at the strategic business aspects of the GDPR and offers a no-nonsense approach of how to become as GDPR compliant as much as possible with a prioritization of what to do first and how to progress, showing that you did as much as you could to minimize personal data risks and thus also GDPR fines.
- On the other hand it looks at GDPR compliance and the various strategic steps to take from mainly a personal data and information governance and information management perspective. Starting from the essential stage (and quick win) of GDPR awareness to risk analysis, effectively implementing privacy by design, enabling the right of erasure with retention schemes and records management and for really advanced GDPR compliance: automatic classification!
GDPR awareness and GDPR staff awareness
Given the fact that GDPR compliance really should start with GDPR awareness and GDPR staff awareness, this article dives deeper into the why and how.
While GDPR awareness is low-hanging fruit and a quick win on the road of GDPR compliance it does require executive involvement and a clear focus on people and involving all employees as personal data protection is a matter of the whole organization. Unfortunately, as the article explains, the departments that are most often involved in GDPR compliance are IT, security and legal.
So, what is needed to have a culture that supports privacy by design and a cross-organizational GDPR awareness whereby the value of personal data is really understood? Knowing that consumers do expect personal data protection (and in case of breaches there are more consequences for your business reputation than fines) and knowing that a culture of personal data protection even must stretch beyond the organizational borders (because you have partners, suppliers and so forth who also need to be in order to avoid liability discussions and more), it’s an important read.
GDPR compliance failure starts with wrong perceptions
Many organizations are quite confident that they are GDPR compliant. Unfortunately, there are disconnects on various levels which lead to failure in complying with GDPR.
It starts from a lack of understanding (one disconnect) the GDPR and goes to a lack of executive buy-in as also found in this article on GDPR and cloud and a lack of having the essential data governance strategies in place.
Do not become one of many organizations where there is a disconnect regarding perceptions about how GDPR compliant you are and the reality of your GDPR compliance. Check out if you are indeed properly prepared instead of trusting on perceptions over facts.
GDPR and personal data protection: everything about data subjects, personal data, sensitive data, personal data identifiers and more
The General Data Protection Regulation is about the protection of personal data of data subjects. That much is clear.
However, in practice we find that many people don’t know the meaning and importance under GDPR of personal data, the identifiers that the data subject even more identifiable and/or make personal data sensitive data, the importance and meaning of pseudonymisation, encryption, all the new identifiers and even what a data subject is under GDPR.
This article takes a really deep dive and makes all those terms and their role and meaning clear!
Top image: Shutterstock – Copyright: symbiot – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.