The General Data Protection Regulation (GDPR) will systematically change the data practices of most multi-national corporations. It will level the data protection compliance field between different countries. But it is much more than this – it is a data governance guidebook, which, if followed, will allow knowledgeable CISOs to create a trust-based relationship between empowered customers and invested companies.
As the effective date of the GDPR, 25 May 2018, is only a year away, CISOs that are serious about compliance should now have finished their gap analysis and be beginning to change the most critical processes where data is collected and used.
CISOs will be key to making this process as smooth as possible, as data flow is too dynamic to be solely manual. Significant automation will be required, which will cause huge challenges, not only operationally, but also due to the need to persuade the board of the necessity.
>See also: One year to GDPR: guide to compliance
In the UK approximately 24% of businesses are not preparing for the GDPR, chiefly because of the mistaken belief that the UK’s exit from the EU means the GDPR won’t apply. However, this is far from the truth.
The regulation applies to any corporation that offers its services to EU residents, is established in the EU, or engages in widespread internet monitoring. For all intents and purposes, this means the GDPR applies to just about all.
Here are a few high-level principles for the CISO to know – and share.
Know and control
GDPR compliance is predicated upon information professionals knowing what data their organisations collect, how it is used, and whether there are any weak links in their data chain, so compliance will require CISOs to oversee a thorough audit of internal data processes.
The GDPR contains 99 separate articles, with 39 of them focusing on the “know and control” concept and requiring some level of evidence or documentation.
Once the internal data review is complete, CISOs will have to turn their attention to the parts of the regulation that deal with individual rights – starting with transparency.
The GDPR presents a new codified obligation, requiring companies to communicate with the consumer in an easy to understand way about their new rights, the data the company collects, and what they are doing with it.
For example, CISOs will need to deploy a process for consumers to request access to the data stored about them, and to have it corrected, deleted, or transferred.
A manual approach to honouring these new rights is simply not scalable, and already new middleware systems, as well as front-end transparency and consent management tools are coming online. The integration of the middleware systems with the consumer-facing tool is critical and will require APIs or hooks between the two.
The GDPR also requires companies to have a proper legal basis to use someone’s personal data, either through a legitimate interest or by obtaining specific consent. The request for consent must be given in an intelligible and easily accessible form and must include the purpose for which the data will be used.
Departments will then need to ensure the process for withdrawing consent must be as easy as the process for giving it, and new consent must be obtained to use data for a purpose other than the one explicitly agreed.
Consent shouldn’t be a problem with data companies collect themselves, but many organisations rely upon numerous third parties – often known as the digital supply chain – to collect data about website visitors on their behalf.
The ad tech and mar tech industry will be particularly affected, as although this complex ecosystem drives critical digital marketing revenue that companies depend on to stay profitable and competitive, it can also be seen as the soft compliance underbelly.
By some estimates – up to 70% of vendors in the digital supply chain are operating on websites without the owners’ knowledge.
As CISOs will know, a vast amount of data collection happens by the invisible digital supply chain, and since these third parties don’t have the relationship with the consumer, it will be incumbent upon the company itself to get consent on behalf of it’s digital supply chain operating behind the scene on it’s website.
This means CISOs will be tasked with ensuring their company has a firm grip on the third party data collection, and a rigorous digital governance strategy that includes automatic notice population of those parties and an easy to use consent tool.
The risk for non-compliance is huge, up to 4% of a company’s global turnover or €20 million, whichever is more.
>See also: Change is coming: the GDPR storm
Many believe that the first enforcement actions will be focused on third-party data collection and the failure of the company to get consent.
To ensure your organisation doesn’t get tripped up, it’s incumbent that CISOs communicate the risks and responsibilities to the rest of the business as soon as possible.
They will need to work together to make the compliance process smooth, and get an automated transparency and consent process in place, which hooks into the company’s databases or middleware systems to trigger the right action at the right time.
Sourced by Todd Ruback, chief privacy officer, Evidon
The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here