The information is hitting us like a hurricane. The rain keeps pouring down. It won’t stop. If you search “eu general data protection regulation” you get 16,6 million hits, and if that is not enough “data protection regulation” will give you 50 million. With my latest contribution, I suggest that you start by reading number 50.000.0001.
So where do we take it from here?
With the data privacy? Start running? Pray that it will all go over. Cross the fingers that a four-year-debate in the EU Parliament cannot be that bad. A data regulation billed as the “most important change” in 20 years!A regulation that will protect you and your family, friends, colleagues and everyone else in the world! Should we treat it as a gift? Something wonderful? Something that will rock the world?
Let’s look at what the fuss is all about. From an IT perspective, of course. CONTROL! CONTROL! CONTROL! You must understand your data. Privacy relevant data. Getting shape of things. Getting things in shape! Processes and data. You should constantly review processes and technology-best-practices for privacy protection.
- So where do you start? DOCUMENTATION! DOCUMENTATION! DOCUMENTATION! Start by collecting required information in order to generate a data map. Identify all applications that process privacy-relevant data. Classify the data. Get a total overview. Visualise data with detailed flow maps. Ask questions. Who has access to your personal data, where do you keep the personal data, why do you have the personal data, when do you share personal data with others, what mechanisms do you have in place to protect personal data? Remember, personal data can be any information related to a person that can be used to directly or indirectly identify the person.
- Invest in technology to detect data breaches. Establish processes to notify data protection authority (and the public) within the imposed 72 hours. Don’t wait! This should have been in place with the approved regulation in May 2016 and the 2-year post-adoption grace period is soon coming to an end. Dont start May 2018 with a hangover.
- What about consent? The data subject’s consent? The person which you hold the data to. Maybe one of the most debated topics in the media. Where the EU Parliament has put a stop for companies misusing data. The request for consent must be given in an intelligible and easily accessible form. It must be as easy to withdraw consent as to give it. And the rights to withdraw consent at any time must be informed in a crisp and clear way. In simple terms, you need explicit permission to store personal data once GDPR takes full effect! And as a direct outcome of this there will be less privacy data stored. Less data to control. Which is a good thing. Happy news!
- The last area I will address is the data protection officer. DPO for short. Responsible for regular and systematic monitoring of personal data. For many organizations, a new role. To be able to demonstrate compliance with the new regulation. The DPO will act independently and report directly to higher management. And to avoid any misconceptions, the DPO is not personally responsible for compliance with the GDPR. But a role to enable compliance. The role is important, not necessarily full time, and can be contracted out to an external service provider.
There is a lot of mismanaged privacy data out there. GDPR will rock the world! Also beyond EU. As an organization, it is important that you 1) understand your data, 2) get your processes in shape, and 3) identify technology gaps for new investments needed.