Automation and out-sourced expertise can help provide the needed support for businesses seeking to catch up on GDPR compliance.
The Beatles’ Sgt. Pepper’s Lonely Hearts Club Band, the seminal album by the greatest rock n’ roll band of all time, turned 50 years old at the start of this summer. Curiously, the album came just at the time the Beatles quit touring for good, and the album’s genius was sparked by creativity and outside-the-box thinking at a key career turning point for the band.
In many ways, the struggle to adapt to the requirements of the EU’s General Data Protection Regulation (GDPR) presents many organizations with a similar turning point: Become creative and innovative in the approach to significant data protection requirements, or face crippling potential fines and severe limitations in the global scope of business.
Unfortunately, all indications point to the fact that compliance efforts have been slow, or non-existent, for both EU-based and US-based companies alike. An extensive Varonis poll from late spring 2017 revealed that 52 percent of organizations face significant challenges in identifying the extent and locations of personal data and PII in their systems, and nearly 75 percent will likely struggle to meet all GDPR requirements by the May 2018 implementation deadline. As could be expected, small and medium size businesses face the most significant hurdles toward compliance. In a typical day in the life of smaller-sized businesses, there just simply isn’t the manpower, expertise nor time available to properly devote to GDPR readiness.
However, the available support for businesses seeking to catch-up on GDPR compliance is getting better all the time. First, there are now numerous resources on GDPR compliance, including regulatory guidance, readiness assessments, toolkits, and quick, but helpful, references such as DPO decision trees.
Second, according to official guidance on the GDPR released by the Article 29 Working Party (which will become the European Data Protection Board under the GDPR), there are many options for filling the data protection officer (DPO) role required by the regulation, including outsourcing the DPO role to a third-party service provider. For many organizations, finding a DPO with the expertise, experience and independence required will be a tall order, particularly for US-based organizations with no physical presence in the EU. The outsourced-DPO can make the appointment of this key person for GDPR compliance substantially easier.
Finally, though the accountability and reporting requirements of the GDPR can seem daunting, the right technology and automation solutions for information governance can really streamline the entire compliance effort.
Some of the key GDPR requirements that can be best met through information governance and automation tools include:
Article 15: Right of Access
Article 15 requires that organizations provide data subjects with information regarding the personal data held on them within the organization’s systems. Any further collection, processing, or transfer the organization has performed/will perform on the data should also be indicated.
Procedures for handling subject access requests can be streamlined by creating an automated dashboard from which individual data subjects can view the full nature and extent of personal data held in an organization’s systems. From the dashboard, the user can also acknowledge or consent to data transfers, view legal holds, and request deletions.
Article 17: Right of Erasure
Numerous organizations have struggled with the Right of Erasure (or the “Right to be Forgotten”), which requires that any links to, copies or replications of a data subject’s personal data be deleted when that data is no longer necessary for the purpose for which it initially was collected.
An automated erasure process with logs and reports, incorporated as a part of data processing procedures, will not only ensure full compliance but also provide the adequate records necessary for data subject requests or regulatory oversight.
Article 18: Right to Restriction of Processing
In order to effective comply with Article 18, stored personal data must be marked or flagged for limited processing, and the volume of data must be proportional to the legitimate basis for the processing activity. Data-mapping and data governance technologies, such as those built into Cloud platform providers like Microsoft Azure and Amazon S3, can be effective in ensuring that narrow processing conditions remain in place, particularly for personal data, PII and sensitive data, where native automation can detect these and flag them. But mostly, these technologies can, and should, exist across corporate directories, databases, applications and systems for effective GDPR compliance.
Article 25: Data Protection by Design and Default
It’s imperative under the GDPR that data protection be sufficiently integrated into product lifecycle and planning, and that protections around the proportionality of data collections and retention of data be maintained throughout processing activities. Enabling the necessary in-place technological safeguards in advance, such as single instance storage, firewall security, encryption, etc., will ensure that Article 25 requirements are properly, and consistently, addressed. Much like the previous Article 18, cloud platform providers like Microsoft Azure and Amazon S3 are inherently safeguarded with these technologies.
Article 30: Records of Processing Activities
Article 30 requirements under the GDPR address records of processing activities. Maintaining processing records are core to the accountability obligations of the GDPR, and require specific elements that must be recorded by both data controllers and processors.
An automated process for producing the reports and records under Article 30, with categories for including information on data movements and cross-border transfers, identifying data locations and access rights, and pinpointing time limits for erasure of different categories of data, will make this significant requirement much easier to implement.
Of course, having a DPO that can propose, implement and oversee these automation and technology solutions, as well as provide solutions for other requirements like the Data Protection Impact Assessments of Article 35, will be critical. An outsourced DPO, with the required expertise in national and European data protection laws and practices, will be critical for most organizations. That expertise, coupled with information governance, automation and technology solutions aimed at streamlining compliance to the GDPR, will bring many small and medium size business closer to where they need to be ahead of May 28 of next year.
Written by Ryan T. Costello, Esq., CIPP/E Operations Manager, eTERA Consulting in Europe. Ryan can be reached at firstname.lastname@example.org.