I’m not going to tell you how to prepare for GDPR impact here. I’m assuming you know roughly what it is, what it means and when it’s happening. There are a lot of people trying to make money from it already, both as consultants and as service companies. There are also lots of great articles that summarise the key aims and articles of the regulation.
I’m probably in the same boat as you, wondering if what we’re doing is enough. It’s hard, because most consultants will agree on the basic tenets of GDPR – after all, it’s there in black and white for anyone who wants to read it. Where consultants will disagree is around exactly what we need to do, how far we need to go, what evidence is enough to prove compliance. Do we say, ‘We’ve got current data protection covered and we’re so far down the food chain the chances of a GDPR fine are slim’ (that’s not advice!) or do we go as far as Wetherspoons and bin our whole database and start again?
Noone will really know what the practical situation is until some case law has been generated through the courts. This means that your consultants may use the precautionary principle and force you into extreme compliance. I’m not saying that’s wrong; that’s where we all want to be. But, what if we approach it from the other direction? Can we say, as a piece of pre-compliance work: how can we adjust the business to minimise impact and fallout of the regulation?
Here are a few broad areas you can consider, with a couple of gotchas worth considering.
Don’t misunderstand the scope – it’s all about people, wherever they are ‘stored’
GDPR applies to people, not companies. However, people work at companies and if you have a load of company contacts with email addresses, this has personally identifiable data so your database immediately comes into the scope of GDPR, along with all the concomitant pain of free access and deletion requests, requirements for risk review etc. Beware you don’t ignore this because it means you are just as in scope as someone with a full database of citizens’ names, addresses and inner thigh measurements. It’s key that you first draw up a list of everywhere you store such information. You might even find there’s some duplication you can easily remove at the outset.
Use what you have around you
Companies, even small ones if they are particularly regulation heavy such as finance and medical, will already have great controls around their core systems. They often won’t have the same rigour in their customer or supplier contacts or spreadsheets full of customer complaints that have been gathered. If you have controls and methods on your core business systems, try extending those skills and knowledge to anywhere in say, sales and marketing, where you store information about individuals. People who build systems often have security ingrained as part of their process. Get the same people who understand your business data systems involved with your other departments for your pre-compliance analysis. They’ll often already have a good idea about data security and compliance that you may never have thought about, to the spirit if not the letter of GDPR. Then, if you have to bring in external GDPR expertise you can minimise the cost of it.
If you don’t use it, lose it
You can think about purging anything superfluous in your data. If you don’t need the identifiable parts, if you are only interested in the geographical spread of inner thigh lengths rather than who has the inner thigh, just delete or randomise the names and addresses. The GDPR regulation also has specific hints towards anonymisation that can reduce your problems. If data is non-identifiable, that means you are not required to provide access, removal, etc. to anyone who asks. There are many anonymisation techniques; just make sure you use something industry standard rather than just mixing up letters. That’s one administration and cost headache gone. Additionally, with anonymised data, you may not need to report breaches to the regulator, because there is no identifiable information to require reporting. If something can’t be tied back to a person, the regulator won’t be interested. This gets more complicated though if you have bits of information that can add up together to identify someone, so be careful if you rely on this as a protection.
It’s harder if you subcontract data storage to a service of some kind
Your life is much more complicated if you don’t know where personal data you collect is stored. Try and make sure any cloud services you use have a GDPR statement with appropriate evidence and controls. If in doubt, keep it local. If you ignore this kind of simple precursor, you’ll start having to understand and implement GDPR requirement clauses yourself like: ‘…An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.’ If your supplier has compliance statements already drafted, this makes things simpler.
Providing subcontractors with access to personal data makes compliance, and your contracts, more complicated
Minimise any access to personal data to your suppliers or external support companies. If they can’t see data, your paperwork is simpler, your risk lower, but you have to be able to prove this is the case. The reason to keep proof of all the measures you’ve taken is because this is your evidence in the event of a data breach. If you can show you’ve taken all reasonable steps to protect data privacy, then your consequences (read: fine) will be minimised. You’re still liable if you let third parties see data. If you don’t know that their security and process isn’t at least as good as yours, you are definitely at increased risk. One simple approach is to keep data away from a supplier except on a need-to-know basis, then you can log a request and you’ve got a ready-made control process that will stand up to audit. We all do this kind of thing with physical key sign-outs and we need to start thinking the same way about data: it’s an asset that can be taken, copied and used against the owner.
As a side note to this, customers are increasingly trying to create contract terms that will tie your suppliers into their audits and policies. This is awkward to implement and a pain if you have to try to renegotiate contracts with your existing suppliers to include new compliance terms each time you get a new customer. If your suppliers have no access to individuals’ data, it is much easier to adhere to such terms with zero effort and risk.
There are so many things you can do up front to reduce consultancy cost and improve compliancy to the GDPR but they do boil down to some simple ideas:
– Know what you’ve got and why
– Know how you store it and how it is protected
– Be able to correct and delete this data as needed
– Be able to prove all of this with evidence
If you have done all of this, then getting to the letter of compliance later will be much simpler and cheaper. Even if you have not been able to get through the regulations in detail with a specialist, simple, common sense protections with get you a long way. As with all projects, knowing where you are now will help you get to where you want to go.
Gavin Scruby is CIO of SmartDebit.