SNP Group, a software company based in Germany, is square in the crosshairs of the European Union's GDPR data privacy law, which ratcheted up the data management and data governance requirements for companies that do business in the EU when it went into effect in May 2018.
SNP's cloud-based CrystalBridge platform helps SAP users manage their ERP systems. As a result, SNP had access to the private data of its own employees and the end users at its customers. It also potentially had access to the private information in customer systems. However, under GDPR, companies must have permission before they can collect private data; they also need to protect that data, and they must be able to delete it upon request.
The first step for SNP in working to comply with the new GDPR data management rules was to thoroughly inventory the personal data it was collecting, said Steele Arbeeny, the company's CTO. "What do we have? Where is it? What could be construed as protected information?"
This information includes anything that could be used to identify a person, such as name, phone number, address and even whether that person prefers to use a 12-hour or 24-hour time format. "Legal doesn't want to deal with any of these problems cropping up," Arbeeny said. "They tend to err on the side of being overly cautious."
But it wasn't an easy job. The personal data covered by GDPR and other new privacy laws doesn't just show up in well-defined database fields, Arbeeny added.
"I might have a purchase order to buy pencils from you, and in the purchase order there might be a place to put notes," he said. "There's nothing to stop someone from sticking some personally identifiable information in there, such as, 'Please call Mary Jones at 123-4567 when you're ready to make the delivery.' There's nothing to stop that."
Trimming back data collections
The next step was to pare down SNP's customer data collection levels to the bare minimum. For example, there are GDPR exceptions for data that companies require to provide services to customers. For example, if a customer orders a product, it's fair for a company to ask for an address so that the product can be delivered. There also are legitimate business reasons to collect phone numbers and email addresses.
"I may need to call you back for a support call or text you a code for your forgotten password," Arbeeny said. "Or you might use your email address as your login. This is personally identifiable information, but it's necessary for the functioning of the system. If you can't reset your password or login, then you could argue that the system can't function."
However, SNP was also collecting some user information that wasn't strictly necessary, such as the full names of its end users. "There was no real use of that information, other than to personalize some messages," Arbeeny said.
Because that data was nice to have, but not a must-have, the company stopped collecting it and deleted what had already been collected. By reducing the amount of data collected, SNP decreased the work it had to do to become compliant under the GDPR data management rules.
Plus, this helped the company better position itself for other data privacy laws that might come up, such as the California Consumer Privacy Act (CCPA), a state law with widespread ramifications for businesses that's set to go into effect at the start of 2020.
GDPR data management loopholes
For the most part, SNP knew where its sensitive data was stored. But this isn't true for all companies.
Automated tools and eyeballing only go so far, especially for very large companies, noted Avinash Ramineni, CTO at Kogni, a technology consulting company that helps companies with GDPR and other privacy compliance issues. For example, there might be personally identifiable information in cloud-based email accounts or in file-sharing platforms like Box and Dropbox. And because many employees set up their own accounts on platforms like this, IT and data management teams often don't have access to that data -- or even know about it.
"Unless you have access to those systems, you can't go in and scan them to see if there's sensitive data stored," Ramineni said. The only way to address this problem is to limit the use of those types of cloud services, he added.
Then there's the issue with backup data. Some companies also store sensitive data in backup facilities. "I've seen organizations going in and cleaning up the backups," Ramineni said. "Other organizations take a more pragmatic approach. Or they try to minimize how long those tapes are held onto, so that they don't keep data more than a certain number of years old."
Unfortunately, GDPR isn't clear about how companies should deal with backups, Ramineni added. "There are some lawsuits going through, and that will give us a lot more clarity in how these specific articles are going to be enforced."
Effective data governance needed
Ensuring that you have a solid data governance strategy in place is imperative, according to Michael Bird, president of sales and marketing solutions at Dun & Bradstreet.
"A process for curation, verification and aggregation of data is something each business should have," Bird said. "Many businesses just don't have a solid process for data collection, storage and sharing."
And it's not just for the sake of complying with regulations like GDPR and CCPA, he added. "Your business should be collecting data legally and ethically every day -- not just when a new regulation rolls around. You can expect more and more regulations as bad actors find new ways to collect and misuse customer data. If your business waits until laws are in effect, it will be too late. The foundation has to be laid now for what's to come months and years from now."
Staying ahead of such changes is one of the biggest data governance challenges that companies face now as they look to balance data collection practices and privacy. "If you get complacent, you're likely to be non-compliant," Bird said.
Keeping up with changing times
After identifying and minimizing the private data it was collecting, and building its GDPR compliance processes, SNP still wasn't done. Like other companies, it also had to meet the challenge of constant change. And for SNP, part of that challenge was internal.
As a software company, its developers are always coming up with new functionality that has the potential to bring in new data. That meant the company had to change its software development process to include data privacy considerations as a key step, Arbeeny said.
Developers were already required to create "user stories" when writing new code, he said. Now, every user story has to include a description of the data that will be read from or written to the system -- and the potential privacy impact of that data. "Let's say we need a new form," he said. "They have to list what data is going to be on that form, and we have a compliance department, part of legal, to verify that."
Then, when the code is built, there's another verification step during testing to ensure that the data inputs were created as described. "And it's verified in the release of the feature after it's finished testing," Arbeeny said.
But that's not the end of it. Some customers, especially those in regulated industries, could also audit the data to ensure that privacy standards were met.
All of these extra checks slowed down the software development process, though not by much, Arbeeny said. In addition, SNP had to hire an extra couple of people to handle GDPR data management compliance functions. "In the beginning, it was a little bit uncomfortable because you had extra steps," he said.
Shift with evolving laws and emerging litigation
Furthermore, it's not just product changes that can potentially create compliance problems for companies like SNP. The privacy laws themselves are also changing and evolving, Arbeeny said. "The two things we're watching very closely are Brexit and the litigation starting to appear now with GDPR."
With Brexit, there's a possibility that the U.K. will no longer be considered a part of Europe -- and that there will be additional constraints on how data moves to and from the country. "We see a lot of disruption coming with Brexit because so many organizations have connections intertwined, particularly with London and the banking and finance aspects," he said.
The problem with litigation is that GDPR, as written, is vague about many details. Some of those details are now being worked out in the courts. Backups are just one example of this. Suppose there's old private information in a 10-year-old offline backup. What are a company's responsibilities? Does it have to go through all its old backups and identify all the sensitive data stored there -- and then remove any data that isn't necessary?
"If you can demonstrate that it's an undue burden, then you can get off the hook," Arbeeny said. "But what constitutes an undue burden, they don't define. That will be defined in court."
Getting help with GDPR data management
For some companies, especially those that aren't in the technology field, managing sensitive data and keeping up with changing regulations is too much of a challenge.
"It's not easy to collect the amount of customer data needed to run large marketing campaigns and still make sure that data is compliant," Bird said. "It's probably smart to partner with someone who is an expert at making sure the data is compliant and then use that data to fuel your marketing campaigns."
Michael BirdPresident of sales and marketing solutions, Dun & Bradstreet
But outsourcing alone doesn't get companies off the hook on privacy compliance and data governance.
"One of the biggest mistakes a company can make is thinking they aren't liable for infringing on laws and regulations when they hire a third-party data provider," Bird said. "Just because someone else is collecting the data for you, your business can still be held responsible for the way in which that data is collected, stored and exchanged."
This means that companies using third-party service providers to help with GDPR data management must make sure that the vendors they choose also are compliant, Bird cautioned.
"There is no magic elixir to managing data supply chain risk," he said. "If something sounds too good to be true, it probably is. Verify, verify, verify."