GDPR has finally arrived, but the implementation date is only the beginning of the compliance journey, as Enza Iannopollo, a Forrester analyst on the security and risk team and a Certified Information Privacy Professional tells CIO UK.
"Probably we expect about 50% of firms globally to be ready for compliance in time for May 25. However, we have to keep in mind that this is not a deadline," says Iannopollo, a Certified Information Privacy Professional (CIPP/E).
"This is only the beginning of the story. We assume that it will be a work in progress, even for companies that might be ready today, because building compliance within processes and making sure you do that on an ongoing basis will always be partially a work in progress. We don't expect to see a final stage of compliance. That wouldn't work for this kind of world."
Fines grab the headlines
The threat of fines of up to €20 million or 4% of annual turnover has caught the eye of CIOs.
"I think it's going to be an interesting couple of years for us all, and a bit of a roller coaster at times," AEG CIO David Jones told CIO UK. "People will have understood something one way, and actually it will turn out the regulator's interpreting it another way, and we'll be rushing around to catch up with that.
Read next: How CIOs are preparing for GDPR
"I think we're all hoping the ICO will go after the likes of Google and Facebook first rather than smaller organisations, and that will help set some sort of case law."
Information Commissioner Elizabeth Denham described the implications as "the biggest change to data protection law for a generation" but most current data practices are being strengthened rather than overturned.
"I think we are going to see enforcement action. I think the regulators will set a few examples to start with. They want to be perceived as strict with these rules."
Iannopollo expects the regulators to set a few examples to demonstrate their willingness to enforce the rules once evidence arrives of breaches.
However, the nature of the enforcement action will depend on the infringement, and organisations will be given the chance to demonstrate their efforts to comply.
"This doesn't mean that we expect something to happen at end of the May," she says. "Of course regulatory action will take time and investigations take time and there will be an opportunity for organisations to provide evidence of their compliance strategies."
Steps to compliance
A GDPR compliance plan will ideally comprise representatives of legal, IT and HR and support from staff from other departments.
"The organisation has to work in a way that is compliant with GDPR, and this means that technology processes will need to be changed to make sure that you can maintain this compliance all the time," says Iannopollo.
"The first point that I usually make is to make GDPR operational, and the second point is CIOs need to understand how ready their organisation is, because being an executive of a company today means that they're responsible for the security and privacy of their organisation, and we know that the consequences of breaching these rules, or in general of privacy and security breaches, are enormous for these executives. It's not just the fine; it's the reputation and the profitability of the company."
Data needs to be identified and tracked on an ongoing basis, with particular care taken with sensitive information. All this data should be documented along with the the purpose for its use, the location where it's stored, and the names of anyone who has access to it.
Procedures should be in place to manage any data processing. Current practices may no longer be sufficient, as GDPR includes a number of new or strengthened data subject rights. The new list of individual rights reads as follows:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Organisations should continue to evaluate their current data governance practices, and document the lawful basis for any processing. Any aspects that are now inadequate should be updated as required. Take note of how data flows across international borders.
Be careful to ensure that any children's data is used appropriately and that all consent is still suitable, as the requirements for both have been significantly strengthened.
The ICO provides a number of data protection self-assessment toolkits to help organisations check their GDPR readiness.
Raising awareness and skills
Many organisations will need to appoint a Data Protection Officer (DPO). The role is mandatory for processing done by a public authority, core activities involve large-scale regular and systematic monitoring of data subjects on a large scale, or processing of personal data and relating to criminal convictions and offences.
Appointing a designated individual as responsible for GDPR is a wise move whether or not a DPO is obligatory, but responsibility for compliance runs throughout the organisation. Raise awareness of the implications through company-wide training sessions on an ongoing basis.
To ensure Yodel is compliant with GDPR, CIO Adam Gerrard has been auditing the company's use of data. The training provided to his team has made him confident that preparations are on course for compliance.
"My data protection specialist is already trained up," Gerrard told CIO UK. "I have a great IT cyber specialist who is fully up to speed with it and understands the concerns in that space as well. So the two of them are going through with a fine-tooth comb; all our data sources, all our applications - what does this mean for us?"
"I think we've got the right kind of rigour, and I think we understand the process we need to get through. There are a lot of areas of working, and that's just on the technology side. A lot of people forget that data protection isn't just about what's stored on the systems.
"Fortunately my team are smart enough to know this and are out there, looking at all the different processes that could potentially have personal information written down as well as stored."
Awareness needs to be raised throughout the organisations. The leadership team should set the example for the rest of their colleagues.
"There's quite a lot of due diligence to be done in most businesses," says Jones. "So it's definitely a focus for us, and there's a little joint working group between the information security director, myself and a couple of key people from our legal team in Europe as well."
GDPR compliance tools
Regtech software can help with GDPR preparations. There are a number of GDPR readiness tools already on the market, from new products to updates to solutions already on the market.
Syrenis Preference Centre collates and managers consumer preferences in single hub hosted in the cloud that lets companies and customers directly manage their preferences.
Evidon's Universal Consent Platform provides a single transparency and consent platform across platforms, and lets users mange new data subject rights in a simple interface.
Tealium iQ Tag Management is a tag management system (TMS) that offers visibility into the collection and usage of customer data through a single view of information from every source. It offers user control and an audit trail of actions.
Read next: How CIOs are preparing for GDPR
Egnyte lets users identify and classify personally identifiable information (PII) across both cloud and on-premises repositories, and offers alerts of any activity that may need to be reported.
The MyLife Digital Consentric Platform gives a single view of permissions across the business and management of the legal justifications for data processing, while Experian has rolled out a free GDPR Maturity Self-Assessment tool.
Even existing office solutions can help in preparations. Databases, spreadsheets, collaboration tools document management systems and project management tools all provide their own ways to monitor and control data processing, but they will likely need support from other tools and staff throughout the organisation.
Embrace the GDPR opportunity
GDPR compliance can feel like a lot of work, but the regulation is also a business opportunity.
Adhering to the rules is a good way to gain trust from customers and employees, and a chance to differentiate your business from the competition.
Iannopollo advises CIOs to use GDPR as an opportunity to make privacy a key topic for the executive team and use compliance to embed data protection in strategy. They can also research the expectations of their customers to support their evolving demands.
"This is not something for the compliance or legal office," she says. "This is broader. This is an organisational effort to improve business operations and strategies overall. I like to see GDPR as this opportunity rather than this punitive tool that now regulators are going to use against companies."