Imagine, for a moment, you arrive home from your vacation and find your house has been broken into and that thieves have absconded with your personal property (including that irreplaceable plastic elephant lamp you got in India with the golden tusks that turn the light on and off). After your initial reaction of fear and anger, you call the police to get the crime investigated, the criminals punished and your precious elephant lamp returned (much to the chagrin of the other family members). Now suppose that when you call the police, the officer answering the call robotically quotes you the exact law that was broken (in painstaking detail), thanks you for agreeing that you understand and acknowledge these laws and then hangs up the phone. To any sensible person, this sounds ridiculous and infuriating, and yet this is precisely what many people encounter when trying to resolve an issue involving their personal information. We have all experienced the frustration of trying to resolve misspelled names that keep coming back to haunt us after we thought we corrected them online. Or, wonder why we just received a phone call or email from a random company we don’t recall having contacted before.
Today, our personal data journey is much like the police example above. Most companies have invested a good deal of budget, time and effort into the “Legal CYA” of compliance but have done almost nothing to show actual capability around being compliant. In other words, can they actually do something about your request for privacy, or to have your data erased? Can they prove it? Compliance has traditionally been their focus, while capability is what we care about. Without an incentive for corporations to change, we remain stuck in the data mud when it comes to our own information. We call the police and get a robot recording. Fundamentally, there is almost no recourse for deciding who uses the data we submit, where it goes, how to delete or update it and in the case of medical records, how we move that information or data to other sources. There is not one system of record out there and the problem seems so immense it is almost unsolvable.
Enter Global Data Protection Regulation (GDPR) and a little fine between 20,000,000 million Euros and 4% of global revenue, whichever is greater. You really need to PAY attention to the “whichever is greater” and here’s why.
Some very smart people figured out that the way to get corporations to do what they should be doing is to hit them in the pocket book. A lot of us have been complaining about corporations not listening to our concerns. So, on April 8, 2016 the European parliament agreed to enact a law that will fine the shoes, socks, shorts and pants off of any organization doing business in Europe that does not comply with 50+ articles of GDPR by May 2018. If you are wondering, this impacts everyone who does business in Europe. In fact, they were smart enough to add three little words to the fine “whichever is greater”. This means that corporations can no longer sit in a boardroom and weigh the costs of taking corrective actions or paying the fine. The “whichever is greater” part means that the preverbal fat cat executive will be thinned out very quickly if s/he does not comply. In Star Trek parlance, resistance is futile.
The 10 Things You Need to Know to Plan For and Survive a GDPR Audit
Here are 10 areas that you should research and fully understand to prepare for and successfully navigate a GDPR audit.
- What are the GDPR Data Protection Laws? These are key European data protection laws and regulatory bodies, describing the evolution toward a harmonized legislative framework. I like that word harmonized, gives me hope. Nothing like 20 million Euros in fines to harmonize your communication.
- How do I define my personal data? What are personal, anonymous, pseudo-anonymous and other special categories of GDPR definitions? GDPR defines you and me as the “Data Subject” and all the rules of law defined in the articles are meant just for us. But, who are we in this big lake out there and what exactly are our privacy rights?
- Who are the corporate controllers and processors? Are they friend or foe, and what are their roles?
- How do I process personal data and what defines data processing and GDPR processing principles? What is a process?
- Who processes my data? After my data request is processed by companies for things like marketing programs, what obligation does a corporation have to communicate with me how they are going to use my data?
- What are the data subjects’ rights? Who, what, where, when and how am I being informed of any personal breaches?
- Who is accountable? What are the data protection management systems out there? Has there been a data protection impact assessment? Did I ever even see and agree (that is consent) to any privacy policies?
- What about my data overseas? Who said they could move it there? Was it always there? Did I even know where it was going when I entered it online? What were the safeguards in place?
- What is the Data Protection Board? What is the board’s role and power?
- Are we compliant and CAPABLE?
I highlight capable as the last point, because that is the true differentiator of GDPR and the true intent of the law. The goal isn’t to send out a bunch of auditors and levy massive fines against executives. Auditors really want to know that you care and the way that you show that is by demonstrating capability. So, I encourage you NOT to introduce your lawyer to an auditor on Day 1.
Five years ago, companies could demonstrate compliance with some spreadsheets, a Visio diagram and some relatively good interdepartmental communication. They never had to prove capability. Today that is impossible due to the influx of data asks from multiple sources seeking to share & sell personal data as well as group, catalog, organize and profile data for “prediction of data and data subject.” Therefore, the need for data management and governance is essential to be compliant and show capability. Without a good framework, and deep understanding of the rules of GDPR, companies stand a good chance of failing their audit.
Everything we do takes time – whether it’s perfecting our police response time and the “process” used to remediate, notify, rectify, return and enforce the law or it’s the journey of personal data and understanding GDPR. We will all eventually get there and do things the right way. For GDPR, we are just starting this journey. Talk internally (you can use the list provided above), discuss what needs to be done, confer with legal, but most importantly find a partner that knows the framework for GDPR and has a solution – not just a tool – and can work with you to address the complexities and pass your audit.
As Dwight D. Eisenhower once said, “Neither a wise nor a brave man lies down on the tracks of history to wait for the train of the future to run over him.”