GDPR Compliance: What Surprised Me at Dreamforce
GDPR Compliance: What Surprised Me at Dreamforce
If you attended Dreamforce this year, you probably noticed that the European Union’s (EU) General Data Protection Regulation (GDPR) was a big theme. There were several breakout sessions and presentations happening all over the Dreamforce campus that were focused specifically on GDPR compliance. If you didn’t notice and actively target customers that are EU citizens or residents, then I advise you start paying attention to GDPR compliance now! So let’s recap the discussions about the prioritization, breakdown, and preparation of the GDPR.
The EU’s GDPR is a PriorityWhat I found most surprising at this event is just how many US companies are prioritizing the GDPR. During a breakout session at Dreamforce, Michael Spadea of PwC shared that 98% of large US, UK, and Japanese companies (defined as greater than $500m in revenue) indicate GDPR as either a top priority (56%) or one of the top priorities (42%). Additionally, these companies are putting significant financial capital behind this priority. According to a survey of companies by PwC “60% said they plan to spend at least $1 million on GDPR preparation projects and 12% plan to spend more than $10 million.” If these business have customers in the EU, they must comply with the GDPR or face fines of up to 4% of global turnover or 20 million euros, whichever is greater. However, the reason for pushing the prioritization and promotion of readiness for the GDPR is because it is an advantage that will help these companies beat their competition. A report by McAfee shows that 74% of business decision makers agree that data protection is used to attract new customers. Have you heard the saying: “the early bird get the worm”? In this case it will be true come May 2018 when the GDPR will be enforced by regulators. It’s not just US companies that are making progress preparing for the GDPR, but they are certainly ahead of UK and Japan based companies. The same PwC surveyed revealed that 22% of US companies are fully ready for the GDPR, compared to just 8% of UK companies and 2% of Japanese companies. Even so, Forrester Research predicts that 80% of firms will be unable to fully comply with the regulation by May 2018; half of which will be intentional and the other half unintentional given the costs and risks. So, what can companies do to prepare for the GDPR? First let’s break it down.
GDPR Overview: BreakdownThe reason many companies are taking their data strategy further than mere compliance for the GDPR is because consumers want this kind of protection. Therefore, showing customers that the GDPR is a priority shows a concern about them and their best interests. This is in line with the nature and purpose of the GDPR, which is to provide security, accountability, and respect of an individual’s rights for their personal data that brands use everyday to build relationships with customers.
GDPR SecurityPreventing unauthorized access to personally identifiable information (PII) is already a major concern for businesses, but the GDPR takes that to the next level by reforming existing legislation. The GDPR covers all personal data: any information relating to an identified or identifiable natural person. This includes direct identifiers (name, contact details, ID number, and location data), online identifiers (IP address, cookies, RFID tags), and indirect identifiers (physical, physiological, genetic, mental, economic, cultural, and social identity). Any company that is processing or profiling data of EU citizens and residents will be subject to the GDPR. Processing data basically means any activity with a data subject’s personal data. Profiling data is any structured data set of personal data which are accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis. This alone can cause a lot of stress for employees as there are many aspects of security to think about. There is risk management for potential data breaches, third party risk management when outsourcing data processing, appropriate language in documentation, vulnerabilities with the automation for data subject rights, and an increase in regulators that will be checking up on companies. These risk factors are heightened, but are not really that new. The most significant change that comes with this new regulation is the accountability piece.
GDPR AccountabilityBoth data processors and data controllers will need to be transparent and take ownership of their data protection policies. There are requirements to have audit trails of when data is collected and how it is used. Each time data is collected, companies must inform the data subject in a timely manner. If the data is from a direct source, making the data subject aware is required at the time the data is collected. If the data is from a third party source, then a company must alert the person within a reasonable of time after obtaining the data (about one month depending on the nature of the data). In addition to awareness, each data controller and processor must have consent from the data subject. Article 6 in the GDPR lays out the lawfulness of possession of personal data, which covers:
- Vital interests
- Legal obligation
- A public task
- Legitimate interest
- Progressive, Necessary and Proportional
- Respectful of Obligations
- Fair – Reasonable Expectations of the Data Subject
Data Protection Rights for IndividualsThe final (but most certainly not least important!) purpose of the GDPR is to preserve individual privacy while delivering products and services. Under the GDPR, EU residents and citizens will have the following rights:
- Right of Access
- Right to rectification
- Right to restriction of processing
- Right to data portability
- Right to erasure ( right to be forgotten)
- Right to object to processing
- Right to be informed
Preparing for GDPR ComplianceDuring a breakout session about the GDPR at Dreamforce 2017, PwC shared it had identified ten major work streams in the GDPR adoption process, but just under half of their clients have completed preparation for the GDPR on four of the largest work stream areas: data processor accountability, privacy by design, cross-border data strategy, and data lifecycle management. Assuming you want to be one of the companies that wants to intentionally comply with the GDPR, there are several actions you need to take to get ready. Depending on your company’s size and the volume of data processed, there are some legal requirements such appointing a Data Protection Officer (DPO). You also will need to be aligned with your data processors. For example, if you use Salesforce you can sign their GDPR addendum, which as a data processor is Salesforce’s agreement with data controllers (their customers). There are plenty of organizations consulting on GDPR readiness and a lot of documentation to help you with compliance. It’s even a best practice to complete a Data Protection Impact Assessments (DPIA). However, the most overlooked part of the GDPR is the “right to be forgotten clause”, which gives the potential for consumer advocate groups to use it to exploit companies’ resources and damage their brands. Thus, it is imperative that you get your front office systems ready by focusing on your high risk data sources. It doesn’t matter if your employees work in sales, service, or marketing; you must get your data under control, understand what you have, give users in each department access only to what they have the rights to use, and get the tools needed to service data moving forward. With the ability to control an individual’s data comes great responsibility. The following limitations apply to the ability for your organization to collect, store, and use personal data:
- Purpose limitations – must have a specific, explicit, and legitimate purpose
- Storage limitation – must keep data in state where your organization can identify when it is no longer necessary to store
- Data minimization – process of only collecting data that is relevant for a specific purpose
- Accuracy – must be kept up to date
- Right to erasure (right to be forgotten)
- Individual withdraws consent
- Individual objects to processing and there is no overriding legitimate interest
- When data is unlawfully processed
- When the data has to be erased to comply with a legal obligation
- When data is processed in relation to the offer of information society services to a child