With less than a year left before the European Union's new data privacy law, the GDPR, goes into effect, time is...
growing short for companies to get on track to be ready. And there's a lot to do, including development of new data governance processes.
That makes preparing to comply with the GDPR legislation a time-consuming affair. "Any organization that is starting now will not be fully compliant," said Daragh O Brien, managing director of Dublin-based consultancy Castlebridge Associates. "The GDPR represents a culture change. There's no tick box to say, 'Yes, we are compliant.'"
The GDPR, formally known as the General Data Protection Regulation, becomes effective on May 25, 2018, as a replacement for the current EU Data Protection Directive. The law establishes stricter regulations on data security and privacy for any company operating within the EU or dealing with data that pertains to EU citizens.
Under the GDPR legislation, people whose personal data is collected and stored by a company will get new data subject rights. These rights allow them to review their personally identifiable information (PII) and request that it be changed, erased or transferred from a company's systems. Also, businesses may only use people's data if they're given explicit consent, or if there's a legitimate legal reason that requires them to do so.
The long arm of the GDPR law
Although the GDPR is a European law, it still applies to multinational companies based in the U.S., and it can even affect U.S. companies that don't operate overseas, but do business with organizations that deal with data on EU residents.
"For companies that aren't multinational who do discover suddenly that they have to adhere to these regulations, they're going to be scrambling for better data governance practices and better metadata management practices that they don't have in place right now," said Anne Marie Smith, vice president of education and chief methodologist at consultancy EWSolutions in Hinsdale, Ill.
Smith added that although she has advised many of her U.S. clients to create a plan for complying with the GDPR legislation, she has had trouble convincing some that they need to devote time and resources to preparing for the law.
That's partly because companies, in many cases, are used to relying on their business partners to oversee data protection on information they don't generate or collect themselves -- third-party data, for example. However, under the GDPR, that burden is shared.
"It's not enough anymore to say, 'Well, we purchased the data from Company X, and, therefore, it's not our responsibility.' That's not true," said Kevin Shannon, global head of enterprise data governance at business-data provider Dun & Bradstreet Inc. (D&B) in Short Hills, N.J.
A three-pronged compliance approach
In a recent webinar hosted by the Data Governance Professionals Organization, Shannon detailed D&B's process for GDPR preparation. The company's data governance team divided the work into three concurrent categories: user stories, privacy impact assessments (PIAs) and data lineage.
Shannon said collecting information from customers on their experiences with D&B enabled the governance team to add "color" to the GDPR plans; it also was able to discover how clients wanted the company to improve data protection, as well as what it was already doing right.
Conducting PIAs, which are required under the law, showed Shannon's team the biggest security-risk factors. And establishing data lineage let it tie the results of the two other processes together to help illuminate data management weaknesses that had to be strengthened in order to comply with the GDPR.
Kevin Shannonglobal head of enterprise data governance, Dun & Bradstreet Inc.
"Data lineage is something which we actually started in preparation for the GDPR before the GDPR itself was finalized," Shannon said. "Rolling up sleeves, getting into databases, documenting exactly what kind of data is in that database -- it's the expectation of regulators that you know where PII and [sensitive personal information] are."
To ensure they addressed all potential issues, he added, the data governance team created a list of 25 pillars that the organization needed to improve, including its products, data supply chain and human resources processes. Because of the breadth of these areas, the compliance plan required input from virtually every department at D&B, according to Shannon.
No end in sight on GDPR compliance
In addition to the steps Shannon outlined, Smith said meticulous documentation of data governance is one of the most important aspects of GDPR preparation. Companies need to be able to demonstrate that they're complying with the GDPR legislation in the case of an audit, she cautioned.
"You have to be able to demonstrate that you've maintained accountability," Smith said. "Compliance has to be continual. You have to be able to produce that documentation at a moment's notice, and to this point, most organizations have not been very good at documenting data governance compliance."
Even for those companies that do put in the work now, staying on track with the GDPR will be a continuous process. O Brien said one organization he works with has even banned the word compliant from all GDPR-related conversation, to emphasize the fact that the data governance process spurred by the law will extend into the foreseeable future.
Shannon echoed that sentiment, calling the GDPR an "evergreen document" that will force him to always be on top of D&B's data and its data governance practices. On the other hand, he said the law doesn't spell out how to comply, leaving that for data management teams to figure out themselves.
"There's nothing within the GDPR that tells anyone exactly what path to take," Shannon said. "The expectation is that a modern organization would be using techniques to secure data that would be commensurate with this day and age."
Ten key facts you should know about the GDPR, minus the legal jargon
Why all companies, not just ones in the EU, should prepare for the GDPR
Podcast: How will the GDPR affect data privacy and security?
IT and marketing departments are waking up as the GDPR alarm clock ticks