alphaspirit - Fotolia
SNP Group, a software company based in Germany, is square in the crosshairs of Europe's General Data Protection Regulation, which went into effect in 2018.
The company's cloud-based product, SNP CrystalBridge, helps companies manage their enterprise resource planning systems. As a result, SNP had access to its employees' private data as well as the private data of end users. It also potentially had access to the private information in its customers' ERP systems. However, under the General Data Protection Regulation (GDPR), companies must have permission before they can collect private data -- they need to protect that data and they must be able to delete it upon request.
The first step for SNP Group was to thoroughly inventory the private data it was collecting, said Steele Arbeeny, the company's CTO. "What do we have? Where is it? What could be construed as protected information?"
This information includes anything that could be used to identify a person, such as name, phone number, address and even whether that person prefers to use 12-hour or 24-hour time format.
"Legal doesn't want to deal with any of these problems cropping up," Arbeeny said. "They tend to err on the side of being overly cautious." But it wasn't an easy job. Personal data doesn't just show up in well-defined database fields, he added.
"I might have a purchase order to buy pencils from you, and in the purchase order there might be a place to put notes," he said. "There's nothing to stop someone from sticking some personally identifiable information in there, such as, 'Please call Mary Jones at 123-4567 when you're ready to make the delivery.' There's nothing to stop that."
Trimming back data collections
The next step was to pare down the data that the company was collecting to the bare minimum. For example, there are GDPR exceptions for data that's required for the company to provide its services. So, if a customer orders a product, it's fair for a company to ask for an address so that the product can be delivered. And there are legitimate business reasons for companies to collect phone numbers and email addresses.
"I may need to call you back for a support call or text you a code for your forgotten password," Arbeeny said. "Or you might use your email address as your login. This is personally identifiable information, but it is necessary for the functioning of the system. If you can't reset your password or login, then you could argue that the system can't function."
However, SNP was also collecting some user information that wasn't strictly necessary, such as the full names of its end users.
"There was no real use of that information -- other than to personalize some messages," Arbeeny said.
Because the data was nice to have, but not a must-have, the company stopped collecting it and deleted what had already been collected. By reducing the amount of data collected, SNP decreased the work it had to do to become compliant under GDPR data management rules.
Plus, this helped the company better position itself for other privacy laws that might come up, such as the California privacy law that's set to go into effect at the start of 2020.
GDPR data management loopholes
For the most part, SNP knew where its sensitive data was stored. But this isn't true for all companies.
Automated tools and eyeballing only go so far, especially for very large companies, notes Avinash Ramineni, CTO at Kogni, a technology consulting company that helps companies with GDPR and other privacy compliance issues. For example, there might be personally identifiable information in cloud-based email accounts or in file-sharing platforms like Box and Dropbox. And because many employees often set up their own accounts on platforms like this, IT doesn't have access to it -- or even know about it.
"Unless you have access to those systems, you can't go in and scan them to see if there's sensitive data stored," Ramineni said.
The only way to address this problem is to limit the use of those types of cloud services, he said.
Then there's the issue with backup data. Some companies also store sensitive data in backup facilities.
"I've seen organizations going in and cleaning up the backups," Ramineni said. "Other organizations take a more pragmatic approach. Or they try to minimize how long those tapes are held onto, so that they don't keep data more than a certain number of years old."
Unfortunately, GDPR isn't clear about how companies should deal with backups, Ramineni added. "There are some lawsuits going through and that will give us a lot more clarity in how these specific articles are going to be enforced."
Ensuring you have a solid data governance strategy in place is imperative, according to Michael Bird, president of sales and marketing at Dun & Bradstreet.
"Having a process for curation, verification and aggregation of data is something each business should have," Bird said. "Many businesses just don't have a solid process for data collection, storage and sharing."
And it's not just for the sake of complying with regulations, he added. "Your business should be collecting data legally and ethically every day -- not just when a new regulation rolls around. You can expect more and more regulations as bad actors find new ways to collect and misuse customer data. If your business waits until laws are in effect, it will be too late. The foundation has to be laid now for what's to come months and years from now."
Staying ahead of changes is one of the biggest challenges companies face right now. "If you get complacent, you're likely to be non-compliant," Bird added.
Keeping up with changing times
After identifying and minimizing the private data it was collecting, and building its GDPR compliance processes, SNP wasn't done. Like other companies, it also had to meet the challenge of constant change. And for SNP, part of that challenge was internal.
As a software company, developers were always coming up with new functionality that had the potential to bring in new data. That meant that the company had to change its software development process to include data privacy as a key step, Arbeeny said.
Developers were already required to create user stories when writing new code, he said. Now, every user story has to include a description of the data that's read or written from the system -- and the potential privacy impact of that data.
"Let's say we need a new form," he said. "They have to list what data is going to be on that form -- and we have a compliance department, part of legal, to verify that."
Then, when the code is built, there's another verification step during testing to ensure that the data inputs were as described.
"And it's verified in the release of the feature after it's finished testing," he added.
But that's not the end of it. Some customers, especially those in regulated industry, could also audit the data to ensure that privacy standards were met.
All of these extra checks slowed down the software development process, he said, but not by much. And an extra couple of people had to be hired for GDPR data management compliance functions.
"In the beginning, it was a little bit uncomfortable because you had extra steps," he said.
Shifting with evolving laws and emerging litigation
It's not just the changes in the company's products that can potentially create compliance problems. The laws themselves are changing as well, Arbeeny said.
"The two things we're watching very closely are Brexit and the litigation starting to appear now with GDPR."
With Brexit, there's a possibility that the UK will no longer be considered a part of Europe -- and there will be additional constraints on how data moves to and from the country.
"We see a lot of disruption coming with Brexit because so many organizations have connections intertwined, particularly with London and the banking and finance aspects," he said.
The problem with litigation is that the GDPR, as written, is vague about many details. Those details are now being worked out in the courts. Backups are just one example of this.
Suppose there's old private information in a 10-year-old offline backup. What are a company's responsibilities? Do companies have to go through all their old backups and identify all the sensitive data stored there -- and then remove any data that isn't necessary?
"If you can demonstrate that it's an undue burden, then you can get off the hook," Arbeeny said. "But what constitutes an undue burden, they don't define. That will be defined in court."
Getting help with GDPR data management
For some companies, especially those that aren't in the technology field, managing sensitive data and keeping up with changing regulations is too much of a challenge.
"It's not easy to collect the amount of customer data needed to run large campaigns and still make sure that data is compliant," Bird said. "It's probably smart to partner with someone who is an expert at making sure the data is compliant and then use that data to fuel your marketing campaigns."
Michael BirdPresident of sales and marketing, Dun & Bradstreet
But outsourcing alone doesn't get companies off the hook.
"One of the biggest mistakes a company can make is thinking they aren't liable for infringing on laws and regulations when they hire a third-party data provider," Bird said. "Just because someone else is collecting the data for you, your business can still be held responsible for the way in which that data is collected, stored and exchanged."
This means that companies using third-party service providers to help with GDPR data management must make sure that the vendors they choose also are compliant, he said.
"There is no magic elixir to managing data supply chain risk," he said. "If something sounds too good to be true, it probably is. Verify, verify, verify."