Sarah Lahav is CEO of SysAid.
The tech community has been discussing European Union’s General Data Protection Regulation (GDPR) as if it were a natural disaster rather than a law. “Are you ready for GDPR?” ask all emails from vendors hoping to milk the confusion.
More than enough articles have attempted to decipher the rules, predict winners and losers, or pour gasoline on our collective fears. Let’s take a different approach: If you run a tech company, serve EU citizens, and even have a GDPR consultant, what are potential ‘blind spots’? And beyond merely complying, how can you manage GDPR gracefully once enforcement begins on May 25, 2018?
Understand Your Personal Data Relationships
The responsibilities of handling personal data are divided into two roles: controller and processor. Depending on which role you play, the legal responsibilities change.
Controllers control personal data – any information that could identify a person (name, email, address, location, etc.). Processors process that personal data on behalf of controllers. This distinction can be messy as your company could be a processor in some relationships and a controller in others. You could even have multiple processor-controller relationships with one company.
If you and your sales and marketing team use Salesforce, you’re the controller, and Salesforce is the processor. If customers ask you to delete their Salesforce record, exercising GDPR’s “right to be forgotten,” you’re responsible for fulfilling the requests. Salesforce is responsible for enabling you to fulfill the request. Processors make the delete button; controllers click it.
Beware B2B companies: one processor might serve another processor. For example, company X provides an IT service management (ITSM) platform. Customers store personal data in our Help Desk solution. That makes its customers controllers and company X a processor. However, its cloud platform runs on Amazon Web Services, so Amazon is a processor to company X. Amazon controls personal data of some company X employees, perhaps in a CRM file or in an Amazon.com shopping account. But those are separate, unrelated relationships.
Get clear on which role you play in every relationship. Before GDPR is enforced, every contract will need an addendum defining who is controller versus processor. Don’t assume that your vendors or clients are clear on the differences and responsibilities.
Simulate GDPR Requests
EU citizens can ask you to reveal, correct, or erase their personal data under GDPR. They can also ask you to stop processing their data in specific ways (e.g. no personalized advertisements) and may even ask for a portable, machine-readable copy of their data. You do not want these requests bogging down your IT and support staff. Simulate GDPR requests and figure out how to automate them.
As a processor, consider what your customers (especially controllers) will need to do in your system. Draft an FAQ that, rule by rule, explains how your controller can meet the “Rights of the data subject.”
In the consumer tech business, controllers especially need to invest in self-service for GDPR. Note that Google already had a tool for account holders to download data and highlighted it in an article on its GDPR preparation. Facebook hasn’t announced much about GDPR. However, you’ll notice that its Ad Preferences page, buried in your privacy settings, can handle GDPR requests such as shutting off targeted ads (a type of data processing). Your platform might have GDPR tools that just need to be organized into one, well-labeled user interface.
Consider GDPR Fines
No company is immune to a data breach, which is one of the best ways to get slapped with GDPR’s top fine. Regulators don’t just send a bill to whomever they assume to be responsible – they investigate.
Controllers have 72 hours to alert regulators after a breach, and must notify people at risk “without undue delay.” Processors are expected to notify the controller ASAP if they detect the breach first. More importantly, EU regulators want to see that your company (whether you’re the controller or processor) did everything reasonably possible to prevent the incursion and protect personal data. They’ll focus on your cybersecurity processes – what you say you do – and governance – how you track and enforce execution of these processes.
Consider the Meltdown and Spectre vulnerabilities that swept headlines. Had they surfaced after May 25 and led to data breaches, the EU would have investigated. GDPR doesn’t say, “Thou shalt encrypt all personal data.” Still, if a company leaked unencrypted data due to Meltdown or Spectre, regulators might deem that company negligent in addition to blaming the processor manufacturers. Until investigators set precedents, GPDR is open to interpretation.
In other words, GDPR doesn’t prescribe how to protect data, but EU regulators still judge whether you took sufficient precautions (fair, right?). Update your processes and governance as if you we’re expecting an investigation. Be ready to show that you took exhaustive measures to protect personal data.
There is a Bright Side
GDPR rules are nebulous, tricky, and unpredictable. That’s why it feels like a force of nature and has caused so much scaremongering.
On the bright side, GDPR enshrines the principle that people are the masters of their own data. From my perspective, this philosophy could be a turning point for cloud technology vendors.
Many European companies have hesitated to adopt the cloud due to the lack of governance around data. But under GDPR, cloud vendors acting as processors share the legal burden of protecting data. Beginning May 25, they will pay a price for shirking that responsibility.
If this article sounded like gibberish, or GDPR still seems like a natural disaster, stop Googling articles. Go hire a GDPR consultant today.
Opinions expressed in the article above do not necessarily reflect the opinions of Data Center Knowledge and Informa.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating.