GDPR may sound scary, but it’s actually for your own good

Business media is abuzz with chatter about the EU’s upcoming General Data Protection Regulation (GDPR). Everyone knows that, like the proverbial winter, it is coming, but there is still much confusion about what it means and how organizations should prepare.

At its core, GDPR is an evolution of its predecessor, the EU Data Protection Directive of 1995, and introduces new and more extensive requirements pertaining to the collection, use and management of personally identifiable information (PII) of EU residents.

When looking from the perspective of an organization based outside the EU, GDPR may seem arbitrary, irksome and generally restrictive to doing business. However, the EU regulators view it as absolutely necessary in the modern information age. This disparity in views hinges on the simple but fundamental difference in opinion regarding who should have the ownership and control of personal data.

GDPR, with its far-reaching requirements, may just be the incentive many organizations around the globe need to reform their personal data practices and reduce risks.

Since the advent of the information age, companies have thought of PII as their property – an asset obtained, retained and used at their sole discretion. However, unchecked stockpiling of personal information today can quickly turn valuable business data into a growing liability tomorrow.

A recent string of high-profile data breaches has alerted consumers to the risks they are facing, and they want more control over who uses their personal data – and how they use it. Besides dealing with unhappy customers and the persistent threat of data loss, companies today are also facing increased attention from regulators.

Key GDPR facts

  • Who is affected by GDPR?

GDPR affects companies both inside and outside the EU.

Put simply, any organization collecting, processing, or using data of EU residents is affected. Whether you are a university in the United States or an online retailer based in South Africa, if you have customers, students or patients who are EU residents, you have to comply with GDPR.

  • How are they affected?

Systems, people and processes within the organization are key to GDPR compliance. As is the case with other information-related regulations, technology is only part of the solution enabling compliance. The best technology in the world can be thwarted with poorly designed processes and untrained workers.

  • What is the impact?

Organizations that don’t take appropriate steps to protect personal data under GDPR may face fines of up to 20 million Euros, or 4 percent of their total annual revenue. Legally, choosing not to comply is an option only for organizations that never intend to collect data of EU residents.

How to move forward

1. Take stock

Follow the path PII takes through your organization. What systems, roles and business processes touch it? When and where is it acquired, transferred, replicated or stored? To become compliant, you will need to audit your information processes and optimize them to reduce the risk of exposure and improve governance over every stage of the information lifecycle.

Be cognizant of the fact that the PII your company collects and manages may flow beyond your organization’s firewall to third parties like partners or cloud software providers. Be sure you understand their compliance practices and verify they are adequate.

If your systems and processes involving PII are numerous and complex, you may want to engage a business or legal consultant to help ensure you cover all angles and leverage your industry’s best practices.

2. Define policies

People are a key factor in maintaining compliance. The most stringently controlled systems and processes can be easily undermined by employees who do not know – or choose not to follow – compliance requirements. Establishing a policy that reinforces compliance requirements and training employees on that policy demonstrates Due Care in creating a compliance culture.

Also, monitoring, auditing and testing adherence to the policy by employees demonstrates Due Diligence. Being able to demonstrate Due Care and Due Diligence can go a long way in defending against liability claims.

3. Let technology do the heavy lifting

Information management technologies have long helped companies meet compliance requirements. In fact, given the exponentially growing volume of business data, it would be virtually impossible for a modern organization to maintain compliance manually, without the help of information management tools to track and automate key compliance tasks.

While there is no “magical app” to singlehandedly make your organization GDPR-compliant, a capable enterprise information platform can help you ensure that your processes and users are set up to reinforce compliance rather than compromise it. Some of the technology-enabled features to consider are:

  • Automated document retention management to facilitate proactive deletion of data once it reaches pre-determined end of usable life
  • Multi-faceted security features to prevent unauthorized access to – and replication of – protected data
  • Dynamic privacy features like automated redaction and data masking to give employees and partners access to the information they need without disclosing data they are not authorized to see
  • Auditing and reporting features to ensure your organization can monitor and prove compliance

It’s worthwhile to note that currently, there is no certification for software products as “GDPR-compliant” or “GDPR-certified.” The effectiveness of any software solution in helping your organization maintain compliance will depend largely on how the solution is deployed and configured, and on the processes and policies within your organization.

The upside

Yes, there is actually an upside to pursuing GDPR compliance! Organizations routinely spend millions on optimizing transactional data management in order to improve customer experiences and profitability. By contrast, they have largely neglected lifecycle management of customer data.

For many organizations, as long as customer data gets in the hands of sales and marketing, little else seems to matter. This often leads to undisciplined and decentralized treatment of this important data, leaving it scattered across the organization and increasing risk of liability due to a data breach.

PII is the most common target of data breaches, yet this type of information is often the least governed. Think about your own experiences when you have had to share sensitive information. What happened to the photocopy of your state-issued ID when you opened a bank account? What about the Social Security number you had to write down on the healthcare provider’s intake form?

Today, most organizations’ business processes are not structured to prioritize good information management practices. However, proactively managing and destroying this data can have several significant benefits to the organization by:

  • Reducing exposure surface in case the company does fall victim to hacking or unintentional leak
  • Decreasing costs associated with storing of information past its retention period
  • Improving organizational effectiveness by maintaining good hygiene of customer data
  • Increasing customer trust by following or exceeding mandated data protection standards

The road to GDPR compliance may present many challenges and even uncover some unpleasant surprises about your organization’s data management practices. But, in the end, your company just may come to realize that taking new steps to respect and protect your customers’ data is just good business.

For more information about current regulatory trends in privacy and compliance, download the new eBook Information Privacy and Security — GDPR is Just the Tip of the Iceberg.

Dennis is an enterprise technology evangelist with over 15 years of experience in helping organizations improve business processes through better information management. In his current role as the Principal of Product Marketing at Hyland Software, Dennis helps connect modern information and process management technologies with the evolving needs of customers across a broad range of industries.
Dennis Chepurnov

Dennis Chepurnov

Dennis is an enterprise technology evangelist with over 15 years of experience in helping organizations improve business processes through better information management. In his current role as the Principal of... read more about: Dennis Chepurnov