Are you ready for May twenty fifth? That’s the date that the EU’s General Data Protection Regulations (GDPR) are slated to be implemented. These rules — and their associated sanctions — target any organization that handles data about EU citizens, whether or not that organization is itself in the EU (Article 3, Paragraph 2 & 3). Fines for non-compliance can be significant, coming up to twenty million Euros, or 4% of a company’s annual worldwide turnover (that’s your sales, not just your profits), whichever is greater (Article 83, Paragraph 5 & 6). Sanctions can also be as little as a written warning. While we won’t try to give you any legal advice, let’s take a quick look at the good habits the regulations are encouraging, and see what we can do about strengthening them in our own organizations.
If you’ve got user data, you have serious responsibilities under GDPR. You must have consent from your users, consent given “in an intelligible and easily accessible form, using clear and plain language” (Article 7, Paragraph 2). You must be able to provide information about how you’re using this data (Article 12), let your users access it in particular ways (Article 15), erase their own information (Article 17), and that’s just what you have to do with the users themselves. You have to alert the authorities (in every country with affected citizens) to any data breaches within 72 hours of discovering them (Article 33), to tell your users (Article 34), to demonstrate that your systems protect user data “by design and by default” (Article 25), that they are secured against unauthorized use (Article 32), and that your vendors comply as well (Article 28). Well, I could go on a bit, but I think you see the connection.
For the most part, this is all stuff you should be doing already. The regulations require that you’ve thought out why you’re collecting user information, what information you’re keeping, and who’s doing what with it. They require that you are conscientious about people’s data. And yes, now, you’ll have to let folks have a little more insight into what you’re doing, and may have to implement some new features on your website, but you also have an opportunity to get buy-in from your management to work on your data stewardship and IT processes.
The first step to GDPR compliance is a good data audit. Go through your organization — not just through your web sites, CRM, HR portal, but also through your paper files — and see what information you’re keeping on people and how you’re using it. Write everything down. Now, you’ve got documented processes (Article 30).
Congratulations, not only do you have a good insight into a number of areas of your operations that might you might not normally interact with, but you’ve got a wishlist of IT improvements and a great way to show their business value. When talking to your boss, or your board, just keep mentioning the top fines under the GDPR. Since that’s what’s in the headlines, all the popular press will be backing you up.
The next step is to flesh out the details of that list, to really start turning it into a roadmap and plan of action. This’ll be the time to take care of little details that might not have been important on their own, but which, together, can really make a difference in terms of compliance. Now’s the time to switch your website over to HTTPS and get that extra SEO benefit, to get a maintenance and patching schedule funded, even to fix the lock on the filing cabinet where you keep your HR paperwork. Take the list of processes you generated during your audit, and make sure you keep it handy.
Whenever you see something like ” …and then we send an email out over MailChimp,” stop and track down what MailChimp’s doing with your user’s data too. You’re on the hook for it, now. Make sure your providers are working under the EU US Privacy Shield (https://www.privacyshield.gov/welcome).
Whenever you have users logging into a site, take note, as you’re almost certainly collecting information covered under the GDPR. Make sure your site has a posted privacy policy and terms of service, and that they include some version of the data audit you just did. Then, make sure you have a way for users to exercise their right to be forgotten. The simplest way is to let them delete their accounts.
Now, you’ve gone through your sites. Have you thought about your backups, and your staging sites? If your developers are using live user data on their development machines for something beyond debugging, it’s time to think about just what you’re keeping, and why. Your system should be protecting data “by design and by default” (Article 25), but if they were designed before the GDPR, they probably weren’t. Sure, there’s a fair amount of work in your future there, but also a chance to improve your tools. You’ll be adjusting your continuous integration tests to make sure you’re not using live data, so why not add in visual regression tests as well?
Or, maybe, you read that last paragraph and realized that you aren’t doing backups, or you’re thinking that you don’t have a continuous integration process, let alone a regular update schedule. Don’t panic. Calmly review Article 25 and be ready to use it to get some help to form the good data management habits the GDPR requires.
Want some help getting ready? ParsonsTKO can work with you to turn the risk of GDPR compliance into an opportunity for improvement.