GDPR is Coming (Part 1) – Do You Need to Revamp the Entire Way You Handle Customer Privacy?
The new GDPR (General Data Protection Regulation) issued by the EU earlier this year raises many questions among compliance and privacy officers. Who is required to comply with the GDPR and are companies really expected to revamp the entire way they handle customer privacy?
The word “GDPR” seems to create a sense of frustration among compliance and privacy officers – understandably so.
The GDPR (General Data Protection Regulation), issued by the EU earlier this year, completely changes the way organizations handle their customers’ sensitive data. Considering that some companies have dozens or even hundreds of applications containing sensitive data – this will have a huge impact on their budget and plans for 2017.
But are companies really expected to revamp the entire way they handle processing and customer data in less than two years?
Well… not necessarily.
With a deeper understanding of GDPR, it is indeed possible to be ready for the GDPR before it officially goes into effect and without reconstructing the entire way the organization handles customer information.
The first thing to understand about the GDPR is that it is, essentially, aimed at protecting data, mostly individuals and private information obtained as part of doing business. This means, first and foremost, that any organization must be compliant with the GDPR if they have any private information on EU persons.
Yes, even if the organization itself is not based in the EU.
Second, the regulation itself focuses heavily on the processes applied on personal data processing. It directs organizations to make sure that personal data processed (or viewed) will be maintained and kept only for the original purpose, and that the data subjects have given explicit consent. To make sure all guidelines are met, the regulation requires the construction of processes that ensure all data is handled properly, and purged when not needed, or when explicitly requested by the data subject.
In addition to the private data handling processes that organizations are required to construct, there are several other domains they need to technically address to protect data by default and by design. For instance, Identity and Access Management, Pseudonymization/Encryption, deletion/erasure (the right to be forgotten) and more. I’ll dive deeper into the meaning of the domains in my next post.
Naturally, without a proper solution, organizations would have to undertake great changes to their applications to apply proper identity and access controls, permission management and full audit, so every sensitive data held in their systems will be both protected, and fully audited to the level required. This would be frustrating indeed, to say the least.
Alternatively, the ideal solution would allow full compliance with the requirements in the above domains, with minimal changes so it is relatively easy to implement, doesn’t require a complete infrastructure revamp of the applications and the business, and would be deployed quickly so organizations can be compliant in time, without the risk of being fined.
In parts 2 and 3 we’ll examine the different domains and understand the requirements of the GDPR.