Remember what it felt like to wake up on the first of January in the year 2000? As soon as the clock struck midnight, all our worries about Y2K were suddenly gone. We resumed our normal daily lives and were only left with a cautionary tale for programmers.
Despite all the General Data Protection Regulation (GDPR) countdowns you saw everywhere leading up to the enforcement date, the truth is, the morning of May 25 represented a beginning of the long journey ahead and a complete redefinition of what we consider “normal.”
GDPR is designed to fundamentally change how everyone – not just in the EU – uses personal data, including how to be more transparent about data use, what data can be used, and how long data can be retained. It will drive organizations to rethink strategic decisions about what data they need to actually drive performance. As Sheila Colclasure, our Global Chief Data Ethics Officer and Public Policy Executive, wrote in her recent blog:
“GDPR requires companies to operate in a different way and put real governance in place to ensure new processes are followed on an ongoing basis.”
Our recent POV, GDPR: What U.S. Companies May Be Getting Wrong, identified five major misconceptions many U.S.-based companies may have had as the enforcement date was approaching. For example, the idea that you have to be in the EU to be impacted is mistaken. If any data that is collected, bought through a third party, shared or used originated in the EU, then that company is subject to GDPR regardless of its location.
Also, many companies that don’t collect personally identifiable information (PII) may have thought they are not subject to GDPR without realizing the regulators are defining personal information differently. According to GDPR, personal data could be a cookie, IP address or an email address. Even scrambled or “hashed” identifiers, which are considered pseudonymous, are included.
Or some may have believed that if they didn’t have valid consent for a particular use of the data, they can easily claim they are pursuing a legitimate interest on behalf of the consumer. However, such claims must be justified through thorough documentation, including providing data protection impact assessments (DPIAs) that list all the cases in which they are processing data and the legal basis for doing so.
These are only some examples of how easily we can all miss the point about GDPR. Regardless of the letter of this new regulation, the spirit is clear. GDPR insists companies add more rigor and accountability to their stewardship of data. Data should be used for good, and companies should be designed to use it for good. To build more trust with consumers, companies must therefore be transparent about what data they have, how they obtained the data, what they do with it and with whom they plan to share it.
So, as we all wake up to this new normal, we call on companies to do three things.
First, clean up your data supply chain.
Audit your data and data sources. Do your partners and suppliers have the proper rights and notice to provide you with that data in a way that’s compliant with GDPR? Who can you trust to provide you with what you have asked for? As good actors in the data ecosystem, we all have to know the right questions to ask and validate all sources, as well as reduce risk exposure by learning how long we actually need to retain data.
Second, consider hiring a Data Protection Officer.
GDPR mandates the DPO role under certain circumstances; however, it may be a good idea even if it’s not mandated. A DPO would manage a data-protection-by-design program and interact with the other departments that need to be involved, including IT, engineering, product, solution design, delivery, marketing, enterprise CRM, and so on.
Lastly, create a strong data governance process.
Embrace this opportunity to advance the strength of your overall data governance programs, starting with building a complete view of the customer so you can better manage the legal grounds under which you use and share data. Then, integrate data protection processes into your engineering layer to keep up with rapidly changing data collection and use regulations.
For more details, please download GDPR: What U.S. Companies May Be Getting Wrong.