Best Practices for DPO

GDPR Compliance: How You Can Ensure Ongoing Support

With the GDPR now in full force, many brands are waiting with bated breath for that first request; many have already received it. We all received dozens or more emails asking us to re-consent to receiving newsletters and marketing emails from brands across the globe, and we heard that many US websites (media and others) restricting EU visitors temporarily. We also heard about some of the biggest complaints hit some of the tech giants. It was a busy few days.

But it seems like things have settled and it’s time for organizations to get down to the business of ensuring compliance with GDPR like it ensures compliance with any other regulation (and for some industries there are many). We thought it was a good time to remind you of a few untruths about the GDPR and some things you should be doing to ensure you comply.

3 Big Lies About GDPR

Tim Walters, Privacy Expert with the Content Advisory, discussed three big lies he’s heard about GDPR in a recent webinar with us:

1. GDPR only concerns the personal data of EU citizens: There is an assumption that the GDPR regulations follow an EU citizen around the globe. No matter where they may be living or visiting at the time, organizations are responsible for ensuring the regulations apply to an EU citizen. But Walters said this isn’t true. The GDPR doesn’t apply to “citizen” – the term is found nowhere in the regulation. The regulations apply to people or companies located in or doing business in the EU. It’s about location, not citizenship.

Rules to Apply GDPR

2. Processing personal data requires explicit consent. Again, not true. There are six legal grounds for processing personal data, and only one of them is consent (others include the performance of a contract, legal obligation, legitimate interest and more). So you need to understand when consent is legally required. When it is, Walters said you need to get unambiguous consent.

3. Legitimate interest will shield data-driven marketing tactics. Just because someone is coming to the website or your support portal, doesn’t mean you can monitor them and create profiles on them without their consent.

The Core Principle Behind GDPR

Walters put it down in 10 words that come from the regulation’s definition: “Natural persons should have control of their own personal data.” This is the core principle or goal of the GDPR.

If you agree with that, Walters said, then think about what actions or behavior you need to demonstrate to show you are committed to that principle.

  • acknowledge the visitor/customer owns the data and you are only borrowing it
  • ask permission to use it
  • say what you are doing with the data and do only that
  • give it back when you are done with it (delete it)

Article 5 – the Core Data Processing Principles spell this all out as shown below:

GDPR Article5 Principles

GDPR Compliance: What You Can Do to Help

As you continue to work on your compliance (and yes, we know that everyone is not 100% compliant out of the gate), there are processes you can put in place to ensure you have a handle on all that customer data you capture and use.

You need to know what personal data you have and you must be able to access it quickly and reliably. And that, said Walters, is where a data inventory or audit comes into play. The data inventory is to the foundation for any compliant support for the GDPR data subject rights.

Personal data is located in any number of business systems, along with file shares, cloud-drives and more. It’s critical to understand that processing is not just collecting data, but it’s also storing data – both are key. A data inventory will help you find out where you have personal data stored. The right software can help you find all these repositories and identify if there is PII information stored.

Once you have the inventory complete, you have to do a full audit. The audit identifies why you have the data, if you asked permission for it, how you are using it and more. This process informs the business decisions you need to make about the data.

Although you will likely have to interview people, teams, and departments to find some of this information, this process isn’t enough. Studies have shown that 50% of the dark an organization stores is dark data (generally unused in current business processes). Another 33% is ROT (redundant, obsolete or trivial).

The interview process may tell you what you need to know about 15% of your data, but it’s that other 85% you need to be concerned about. An automated discovery tool is your best answer to finding and understanding the bulk of your data.

In the webinar, Walters left us with five things that you can do to prepare for GDPR, and although the date has come and gone, they still apply to those still not compliant, and to those who need to continue to work on compliance.

  1. Launch an inventory and audit
  2. Design and test a system for supporting data subject rights and requests
  3. Revise your privacy policy.
  4. Prepare GDPR-level consent management
  5. Plan for on-going support.

That last point is where a discovery tool can play a key role. Data changes over time. Information is added, it’s moved, it’s manipulated, it’s used across different customer experiences. You need a process that regularly monitors your repositories to ensure personal information is appropriately handled and tracked.

You may never become one of those giant tech companies that get hit with compliance charges and needs to put out millions of dollars in fines. But it only takes one complaint to cause issues for your company. Doesn’t it make sense to get a handle on your information sooner, rather than later?

Watch the full webinar replay below.