The unfolding drama of the Facebook and Cambridge Analytica debacle is further fueling the impending landmark GDPR regulations, but what are most companies doing?
Like other software companies that serve hundreds of Fortune 500 companies, we’re seeing a rapid increase in vendor request forms to attest to our GDPR practices. We’re also engaged in ongoing and frequent dialogue with compliance professionals, business process owners and technology teams on the implications.
What appears to be the case is that companies are sprinting hard to meet the May 25th deadline, but for the most part, actions are tactical (and reactive) and not strategic.
Let’s examine a couple examples:
GDPR requires that an individual have the “right to be forgotten” and the “right to remote access to a secure system, which would provide the data subject with direct access to his or her personal data.” Though it might sound simple, consider that most companies have pieces of this data spread across dozens, if not hundreds of operational systems: everything from marketing, invoicing, support and servicing to fulfillment, and many more.
Furthermore, the individual has the right to request that the data controller update or delete any personal identifiable or protected information, cease further dissemination of the data, and potentially have third parties halt processing of the data. And an organization subject to GDPR requirements has just one month to respond to the above requests in all data processing facilities.
So how are most companies dealing with this? Many of the companies we’re interacting with are in midst of following these steps to meet the deadline:
- Create an inventory of systems and identify those which potentially include protected data;
- Identify or designate owners for these systems;
- Update digital marketing disclosure consents;
- Document legal basis for processing;
- Implement vendor audits and assessments (boy have we seen a lot of these!);
- Develop breach response plans and employee training manuals;
- Then maybe… establish a manual process to ensure requests from subjects are propagated to each system.
In short, most organizations are simply responding with immediate action. However, the biggest risk is the inevitable decline in attention, once the deadline passes, as it becomes something in the rear-view mirror, without incident for most.
Businesses must think long-term by developing an operational and sustainable approach to achieving GDPR compliance. This requires putting in place automated processes to track changes in the processing and data usage, ensuring destruction, responding to requests for access to data, among other best practices.
Without a well-conceived and comprehensive roadmap that focuses on building customer trust, establishing the highest level of data controls and improving data handling and availability, organizations will always be vulnerable.
Clearly, the stakes are high as failure to comply with GDPR will not only result in high fines and civil actions, but could have lasting reputational damage. What are you doing to operationalize your data privacy management? We’d love to hear your perspective.
And stay tuned for more insights on our GDPR initiatives.