Understanding compliance needs related to the General Data Protection Regulation.
Without fail, my inbox is filled every morning with news, updates, tips and dire predictions about GDPR (General Data Protection Regulation) and the coming impact on companies and their providers. GDPR is an urgent issue, for sure, but the constant barrage of information can be overwhelming. That’s why when I come across a source or article that brings clarity, it’s worth sharing.
The January 2018 issue of McKinsey On Risk reprinted, among many other topics, an online piece they did last summer regarding GDPR, and added some very useful supplementary information regarding key facts. In re-reading this article, I realized just how concise and useful it is in combining a big-picture grasp of the issue with practical steps. As Forrester noted in their recent Predictions 2018 research, many companies will not be ready by the May 25th deadline, and a big chunk of those will intentionally not comply. But that doesn’t preclude knowing what’s expected. What follows are the elements as described by McKinsey1:
Documentation. Organizations should maintain a record of data-processing activities and be ready to present it to the regulator at any time. Legal basis. All data processing should have a legal basis, such as the consent of the data subject or the need to fulfill a contract or legitimate business purpose.
Rights of data subjects. Organizations should implement rights such as the right to be forgotten (or, more accurately, to data erasure), the right to data portability, the right to object, the right to revoke consent, and the right to restrict processing.
Security. Organizations should protect data through means such as encryption or “pseudonymization” and have effective operational procedures and policies for handling them safely.
Third-party management. Vendors and suppliers, including outsourcing partners, should be required to protect personal data and should be monitored to ensure that they do so.
Privacy by design. Any organization planning a new technology, product, or service should consider data-protection requirements from the beginning of the development process.
Breach notification. Data breaches resulting in risk to individuals’ rights and freedoms should be reported to the authorities within 72 hours, and subsequently to the data subjects as well in certain cases.
The biggest question that the GDPR raises in my mind is, is it too broad to be effective? It covers a lot of ground – both geographically and regulatory – and a lot of companies. Enforcement is going to be difficult, regardless of how stringent the rules are and how much authority is given to supervisory organizations in Europe. If you consider how much data GDPR covers, and that includes any information that can be linked to an identifiable individual (there are a lot of individuals involved), the difficulties become apparent. The most worrisome point for me is that the GDPR allows individuals to pursue civil action for infringement, including class-actions. Once that snowball gets rolling, the repercussions will be enormous.
Regardless, it’s important to stay on top of the information out there so you can continue to focus your own compliance efforts. With a major European presence, Determine is also actively working in-house on ensuring our own compliance on behalf of our global customer base. Many of them rely on our contract management and supplier management solution technology to monitor their own third-party risk, a critical component of GDPR.
If you’d like to learn more about how to manage risk using the pioneering Determine Cloud Platform, don’t hesitate to schedule a personalized demonstration.
1 © Copyright McKinsey & Company.