We are have arrived at the May 25, 2018 date when the European Union’s General Data Privacy Regulations (GDPR) become enforceable, following what has been a two-year transition period. Companies were given this time to put in place reasonable measures and the systems necessary to support the legislation’s wide-ranging personal data privacy requirements, which apply to any organization with more than 250 employees that serves EU citizens. While this regulation will apply in the EU, it has implications for any organization in the world that provides services involving the personal data of any EU citizen.
This regulation covers the privacy of personal or professional data; it covers (but is not limited to) physical address, photos, email messages, medical information, sexual orientation, digital location and even IP addresses used. GDPR mandates that data be securely stored against theft and not shared without direct consent. To be in compliance with GDPR, organizations must have made sure they have taken reasonable privacy steps as outlined in the regulations.
US citizens who are living and working in the EU are also protected while operating in these countries, which means that many companies outside the EU need to be aware of this regulation. Penalties escalate according to the seriousness of the violation but the fines can be as large as 4 percent of a company’s global annual revenue, not a trivial amount. And of course to that would be added public reaction to any data breach, which could have even larger deleterious effects by impacting brand and shareholder value.
Any department that gathers, stores or uses data related to customers and their interactions should be aware of GDPR and its implications. This includes marketing and sales interactions as well as the billing for and accounting of products and services purchased. Organizations’ obligations start with the digital marketing systems that create a cookie to track and enable storage of an individual’s activities across the internet. Then there are digital commerce systems that hold data on customer interactions, as well as the calls and messages into contact centers that are recorded, in most cases without the consent mandated under GDPR.
The GDPR regulation also mandates data portability, requiring that customers be able to move their data from one service provider to another. Organizations have historically not provided easy portability, as enabling a customer to move to a competitor is not a priority for many organizations. Beyond any business disinclination, though, making data portability a reality requires that organizations have the ability to receive and track electronic requests to extract personal data and then deliver it in a secure digital form. With typical currently used technology this is not easily accomplished.
Another critical aspect of GDPR is its mandate that a customer have the right to request erasure of his or her data in the case of a violation. My analysis and discussions with a range of application providers indicate that there is a lack of administrative capability for deleting specific customer data from a system. Doing so would mean not just removing the data from an operational system but also from any other location or system to which the data has been copied or transformed and migrated, including analytics tools or backup systems. This makes for a complicated set of steps to erase customer data, particularly if it has been distributed across dozens of systems or copied into others for review and analysis.
Copies of customer data that are extracted from operational systems, enriched and stored in data warehouses, data lakes and analytics systems pose a large challenge, as organizations now must ensure that the data is not shared in ways that violate GDPR. These data management or big data environments can be less secure, increasing the danger that the customer data can be shared or stolen. It is also the case that copies of customer data from the EU into other countries like the US have to follow the same level of compliance with GDPR. Based on my observation, business and IT professionals in these areas have not sufficiently thought through the GDPR implications of their current operations and where better data governance needs to be applied to ensure proper security and control.
Clearly, organizations will need to make changes to be in compliance with GDPR – compliance that likely will require specific technological capabilities in the systems that support business processes. The regulations are about ensuring process and preventing disclosures, which in this day and age is not possible without technology that can monitor and track issues.
GDPR also requires a data protection officer, which in the U.S. frequently is called a chief information security officer. This needs to be a role or team dedicated to maintaining data privacy policies and processes, readily providing information when violations or data breaches occur.
While it’s important to have a responsible party, this is just one small part of what an organization will need to do. Compliance will require a digital transformation of currently used technologies and, most importantly, of the architectures used in the IT organization. This is no easy task because it impacts the way that almost every employee operates across applications. It is also not easy because the vast majority of applications and systems organizations now use are rented from third-party (software-as-a-service or outsourcing) providers, which often means there is less access and control, complicating compliance with GDPR.
But the difficulty notwithstanding, securing data and in many cases masking or encrypting it is an important step forward that must be part of the data management practices that organizations assess and adopt. Organizations that today ask their cloud-computing or third-party provider to encrypt their customer data or extract or erase a specific customer’s dataset will likely find that the vendor cannot do so because it isn’t prepared to help customers with GDPR. And many organizations using digital system logs as an auditing reference will find that those system logs are not able to identify every copy extracted from online systems.
The implications of GDPR will extend even further as customer interactions with businesses shift to conversational interactions through devices like Amazon’s Alexa. When Amazon is monitoring your conversation for your personal or business needs, how is that data secured and what level of detail is stored in various systems? Is your personal data derived from monitored conversations being transmitted securely across the multiple technologies involved? Businesses need to understand and address these issues to ensure limited risk of exposure under the new regulation.
While in the US some aspects of personal information are protected under consumer and data privacy guidelines from the Federal Trade Commission’s (FTC) Bureau of Consumer Protection, data privacy standards in the country are woefully lacking. The conversation within business concerning data privacy has lacked much depth, nor has the FTC provided any useful guidance. Self-regulation hasn’t worked well, yet the onus remains on organizations to get motivated and examine their methods of securing data in their enterprise. When I have asked technology suppliers who provide analytics and data-related systems how they are helping their customers with advancements in their tools to better comply with GDPR, the majority have said, “Our customers are not asking us for improvements for compliance to GDPR.” This reflects a general lack of engagement, but is not by any means an excuse; it should be the responsibility of the technology provider to enable compliance.
The requirement for “reasonable efforts” toward compliance encompasses a wide range of possible steps for organizations to take to ensure they are ready to comply with GDPR. But market research has shown that a majority of organizations are unprepared to truly be in compliance. My analysis finds the same: The majority of the software companies supporting organizations that collect, use and share personal customer information have not taken enough steps to properly support privacy guarantees for their customers.
Your organization can ensure compliance with GDPR by immediately undertaking an examination of the storage and use of customer data across the company. You will also need to assess technology vendors that handle your customers’ data in any form to determine if they are ready to support GDPR requirements. Eliminating risk points will require that you first examine the people and systems that interact with customer data. If you do not, just one accident or mistake could produce quite dire impacts on your organization – and your career.
CEO and Chief Research Officer