The Road to Compliance: How to Tackle GDPR Challenges
In IMA’s latest Inside Talk webinar, “What is GDPR and why should I care?” sponsored by Oracle-NetSuite, I had the opportunity to talk with a panel of colleagues from Bridgepoint Consulting, Bazaarvoice and AllClear ID about the realities of GDPR compliance. Speaking to an engaged group of more than 1,300 attendees from 48 countries, we discussed who is affected, what goes into the GDPR compliance effort and how companies can benefit from a proactive approach.
Here are a few key take-aways from our conversation:
GDPR ISN’T ON THE WAY; IT’S HERE
The General Data Protection Regulation (GDPR) requires organizations to manage the personal data of EU residents appropriately or face serious fines. “This is by far the most comprehensive global data privacy regulation ever developed, and it’s the biggest overhaul of EU data protection laws in more than 20 years,” Michael Johnson, a Bridgepoint Principal, told our audience.
GDPR went into effect on May 25th, 2018, and its main focus is to make sure organizations take data protection seriously. “It applies now. It’s not coming; it’s here,” Michael stressed, saying the law applies not only to EU based organizations, but to any U.S. business that collects or processes data from EU residents for purposes like marketing, research or the sale of goods.
GDPR also expands the definition of personal data to include details like email, IP addresses and GPS information. It also puts more significant controls on cultural and social data like health records, criminal history and religion.
Companies subject to the law must do the following:
- Process that data lawfully and transparently
- Collect it only for specified reasons
- Keep it current
- Delete it after use
- Handle it securely and confidentially
IF YOU’RE NOT CURRENTLY SUBJECT TO GDPR, YOU WILL BE SOON
Why should you care? The short answer is that not caring exposes your organization to a penalty of up to 4% of global revenue from the previous fiscal year or €20 million, whichever is higher. In addition, GDPR affects the way organizations handle everything from mailing lists and opt-in requests to breach notifications. It also requires a number of specific controls. For example, if you’re subject to GDPR and process large quantities of personal data without a Data Protection Officer in place, you’re already in violation.
About 40% of attendees said they’re not affected by GDPR, which tracks with what we’re seeing in our client base. However, even if you aren’t subject to GDPR today, you will most likely fall under similar laws in the near future. For example, the California Consumer Privacy Act of 2018 which passed in June, takes many of the protections in GDPR and applies them in the state of California. As the debate over data privacy continues to gain more traction, it’s looking as though other states and countries will soon follow with their own privacy regulations. And if your clients are subject to GDPR, you’ll need to get in compliance or risk losing their business.
YOUR GDPR COMPLIANCE APPROACH MAKES ALL THE DIFFERENCE
At Bridgepoint, a typical roadmap for helping our clients achieve full GDPR compliance includes:
- Data mapping: Identifying personal data including types, locations and security measures
- Gap analysis: Looking at GDPR requirements to see what is already in place and what’s missing
- Action plan: Creating a remediation plan that includes a target date, owners, risk level and actionable steps
- Remediation: Addressing issues based on priorities such as highest risk or easiest win
- Assessment: Analyzing whether fixes are working and how they can be improved
The Bazaarvoice Perspective: Automating Data to Achieve GDPR Compliance
Bazaarvoice went through a similar process when it addressed GDPR compliance—and that was no small task, since more than 1,000 clients that use Bazaarvoice technology to analyze consumer ratings and reviews fall under the regulation.
Anji Greene, Director of Security for Bazaarvoice, said the organization put together a team of leaders from IT, engineering, HR, legal and marketing to address the following high-level areas:
- Policy changes and DPAs (Data Protection Agreements): Creating more stringent data retention and privacy policies, as well as updating contracts with data protection agreements that clearly identified data processing and controller roles.
- Data mapping and records reporting: Identifying and locating all personal data, as well as putting appropriate records in place for the business and its partners.
- Communications: Alerting clients to the impact of GDPR, upcoming changes and what Bazaarvoice was doing to satisfy requirements.
- Training: Creating training for all employees, as well as specific training for support and engineering teams.
- Data retention and access requests. Making engineering changes in the production environment to support GDPR.
Data mapping: personal data is everywhere
Bazaarvoice found personal data everywhere: in HR, IT and production systems, in storage, in the cloud in tools like SalesForce and Box, and in local databases, email systems and logs. “Personal data isn’t sitting in a file marked personal data,” Anji said. “It’s in all types of formats: PowerPoint decks, Excel spreadsheets, structured and unstructured file types.” Bazaarvoice identified individual owners, standardized collection and reporting, and worked with outside partners including Bridgepoint to build data maps and data flow diagrams. Asked how long the process took, Anji laughed. “We’re still not done. It’s ongoing and never ends. We’re a 13-year-old company that had never focused on this, and it took us 6 months. We’ve been working on our overall compliance initiative for a year and a half.”
Request to Access (RTA) and Request to be Forgotten (RTBF): why manual processes won’t work
GDPR specifies that any EU residents can request to obtain, rectify or erase their data at any time without undue delay. Because the company hadn’t received RTA/RTBF requests before, they assumed they could devise a manual strategy on the fly for the few they might receive. But as the May 25th date approached, big clients like Procter and Gamble estimated they’d be sending about 200 requests a week—a volume that would require a massive team effort to handle support tickets and notify clients and consumers. The company also realized that a manual effort that involved copying and sending affected data would actually expose them to more data security and privacy risks, making matters worse.
Instead, Bazaarvoice automated the process by building a privacy tool with an API and portal interface for clients. The tool accepts requests from authorized users, notifies all registered services and third parties and provides a secure URL with the information or evidence requested.
From May 25 to mid-September. Bazaarvoice received 4,700 requests from 75 individual clients—and the company responded within 14 days. “We are a data processor most of the time—just one vendor out of possibly many from our clients’ perspective,” Anji said. “We want to give them plenty of time to get back to the consumer. Automating was the only way we would have been able to handle such a large number of requests.”
The AllClear ID Perspective: Avoiding the Tragic Quadrant
AllClear ID helps companies respond to data breaches, and Response Ready Advisor Steve Ivey said they’ve seen everything from an employee emailing the wrong spreadsheet and exposing data from 10 customers to breaches affecting tens of millions of people. His company works with clients dealing with emergencies, as well as those that want to get ready before a breach can occur.
Part of that challenge is that GDPR requires companies to notify regulators within 72 hours of an incident discovery and to notify customers “without undue delay.” The problem, Steve said, is that nobody knows exactly what that means, and there’s a massive fine associated with non-compliance.
To help clients understand their responsibilities, AllClear ID came up with a chart they call the Tragic Quadrant. “If you do a great job responding, you get to continue with business as usual,” Steve explained. “If you do a poor job, you have executives being terminated, you experience churn in your customer base and have stock prices dropping. In addition, you have regulators giving additional scrutiny into what you’re doing.”
To avoid those consequences, companies need a quick, high-quality incident response, which means notifying, supporting and protecting an affected population quickly with resources like websites and phone lines to give people real, consistent and helpful answers as an incident continues to unspool. Companies also need to understand and avoid common reasons why breach responses fail, such as not setting aside the budget, time and resources to prepare and test a readiness plan.
Our speakers closed out the discussion by sharing some lessons learned on the road to achieving GDPR compliance, including what they’ve seen work best. Their key pieces of advice to other organizations who are looking to tackle this new regulation effectively:
- Have complete and accurate data mapping;
- Delete data you don’t need and don’t collect more data than you do need; and
- Commit resources to preparing and testing your public-facing breach response plan.
BRINGING IT ALL TOGETHER
The reality is that GDPR compliance is inevitable. If your organization is not affected now, you will most likely fall under similar regulation in the future, including the probability of a federal law here in the U.S. as the debate over data privacy continues to gain major traction. Compliance is an ongoing, everyday process—one that involves everyone from senior management to your most junior staff, and that requires some significant digital heavy lifting.
While there have been a multitude or reports and articles expressing the downside of GDPR (massive fines and penalties, negative media coverage, the damage to a company’s reputation, etc.), it should be embraced as a business differentiator rather than feared. However counterintuitive it may seem, those with the most work to do on GDPR actually stand to make the greatest gains. If you handle customer data with integrity, you can build trust with existing customers and attract new ones. By embracing this effort with a positive attitude and a focus on improving current systems, you can also reap rewards far greater than compliance, including better relationships with your customers and a clearer understanding of their data.
HOW WE CAN HELP
If you are unsure how to achieve full compliance, our seasoned team of GDPR experts can help. Bridgepoint can guide your organization through each step of the process, from data mapping to developing and executing your action plan.
Want to learn more about our GDPR Services?
Ready for a Solution?
Let Bridgepoint Consulting Help
Whether you need help with a platform/business strategy, an in-flight project, or need a talented consultant to bridge critical gaps, our team is here for you.