The European Union’s looming new General Data Protection Regulation will be one of the biggest GRC issues companies face in 2018. Its extraterritorial reach is sweeping, potential penalties are high, and conceivable implications on business processes profound.
Compliance officers can begin simply by considering the vast range of data that could be subject to GDPR compliance. EU regulators wrote the regulation to be as broad as possible; it covers any piece of information that can be associated with a specific individual.
Let me say that again: it covers any piece of information that can be associated with a specific individual.
Some examples, therefore, include:
- Name, date of birth, address
- Credit card numbers or national ID numbers
- Photographic images
- IP addresses
- Medical records
- DNA or other genetic information
- Social or ethnic identifiers
At this point, a standard compliance officer response would be, “OK, the GDPR establishes protected classes of data. Therefore we need to inventory how many of those classes we have, and how much data is in each class.”
That step isn’t wrong, but it fails to see the data-protection forest through the regulatory trees. The list is not exhaustive – the forest will always keep growing, if you will. Sooner or later we will invent some new form of personally identifiable information (PII), and that new form will be swept into GDPR compliance too.
The GDPR isn’t about securing certain types of PII. It’s about guaranteeing to EU citizens that they can control any PII that your business might have in their possession, now and forever.
Compliance officers need to consider what that point really means. The GDPR isn’t about securing certain types of PII. It’s about guaranteeing to EU citizens that they can control any PII that your business might have in their possession, now and forever.
Yes, keeping PII secure is one part of that. Your organization absolutely should inventory all the PII assets in its extended enterprise, and place appropriate security controls around them. But security will still only be one portion of a much larger canvas.
Focusing on categories of information conditions us to work with data in a way that unhitches the P from the II. The GDPR aims to prevent that separation, by clearly defining the roles in data privacy and highlighting who’s in charge: the individual.
Understanding the Roles & Expectation of the GDPR
Put simply, the GDPR is about guaranteeing individuals the ability to control their own PII.
The GDPR’s objective is to leave ownership of PII in the hands of the individual – not the organization that might collect PII about the individual. A business won’t “own” the record of a customer’s address or birthdate, but rather be a custodian of that PII only for as long as the customer chooses. The GDPR even has a name for that role: the business is the data controller.
Put more simply, the GDPR is about guaranteeing individuals the ability to control their own PII. GDPR compliance is about how your organization fulfills all the obligations thereof.
If you view the GDPR in that light, the risk assessments for GDPR compliance, as well as the conversations you have with the board and business units about GDPR compliance, become quite different.
The question is no longer, “What PII data do we have, and how do we secure it?” It’s something closer to, “Do we understand all the ways we use PII, and how to guarantee that we can maintain its integrity on behalf of the individual?”
You then bring several crucial questions to the surface:
Data Handling Processes
Do you understand all the ways you currently handle PII? How it enters your extended enterprise, how it’s handled, and how it’s stored?
GDPR Compliance Processes
For example, the GDPR requires disclosure of a data breach within 72 hours; can your current business processes manage that? It requires consent from a parent for PII collected about minors; do your data handling processes (see above) allow for that?
Ethics & Compliance Training
Are you educating employees about the right issues within the broad scope of GDPR compliance? For example, when they want to begin a new program of collecting PII (see PII about minors, above), do they know to evaluate their business processes before starting?
Those really are the questions compliance officers need to consider as they grapple with GDPR compliance.
Sure, knowing your PII data assets – where they are physically; what they are; who has access to them; how they’re protected – will always be crucial data privacy best practices. But that’s only going to be one step, and often a step you can entrust to the IT or cyber security department.
GDPR ultimately will be much bigger than data security. In the same way that the Sarbanes-Oxley Act ushered in “effective internal control over financial reporting” to ensure the integrity of financial data, the GDPR may well lead to effective internal control over PII, to ensure the integrity of personal data.
Process, risk assessment, training: that’s what will drive GDPR compliance, and compliance officers have their work cut out for them.