On May 22, Kevin Moos and I had the pleasure of presenting the webinar “GDPR: Is Data Still the New Currency?” where we explored the ways in which the EU’s General Data Protection Regulation (GDPR) is forcing companies to re-examine their approach to personal data. (If you happened to miss it, you can watch the replay above, or click here if you don't see the player.)
If the GDPR affects your organization, it’s critical to understand exactly what your company is doing with data and why … and to integrate that data in a way that enables you to meet your obligations under the new regulation.
In the pre-GDPR era, companies functioned in a “Wild West” environment in which they could collect any personal data, for any reason, and do with it whatever they pleased. Each group within the organization — CRM, reporting, marketing, etc. — was free to collect, store, and use data in its own way, often giving rise to massive data silos. For many firms, the result was a data architecture that looked something like this:
Under the GDPR, companies must
- Keep a record of data processing activities
- Obtain explicit consent for each processing activity
- Be prepared to honor requests from data subjects to access their data, to erase their data, to restrict processing, etc.
Organizations will need tight integration across all data systems and processes to ensure data updated in one system is automatically and correctly updated across all other locations too.
In our experience, this is the area where most companies struggle when it comes to GDPR readiness. One of our clients, for example, had grown primarily through acquisitions, and each new company’s data came with its own set of challenges (poor data quality, poor integration, etc). To help our client prepare for the GDPR, we worked with them to create an integrated enterprise architecture that makes it possible to meet their obligations.
Rights and Obligations
In previous attempts to regulate data collection and usage practices (notably the 1995 Data Protection Initiative), the EU issued general recommendations on handling personal data. One of the biggest differences in GDPR is that it lays out specific rights for data subjects and binding obligations for data controllers and processors — with the “teeth” to back up these requirements in the form of fines up to 20 million euros or 4 percent of annual global revenue.
Remember, under the GDPR, you share responsibility with the third-party vendors who handle personal data on your behalf. Recently we spoke with a company who shared that they haven’t even been able to maintain an accurate vendor list, much less review all those relationships to ensure their partners are GDPR-compliant. This is another area that could spell trouble if it slips under your radar, so it’s important to include those vendor relationships in your readiness plan.
Data Processing Grounds
Historically, firms could collect data for any reason — including “just in case we need it later.” Under the GDPR, businesses must be able to demonstrate legitimate processing grounds behind every activity:
One thing to remember is that under the GDPR, even data you’re not actively using can get you into trouble. When we kicked off a recent project with a new client, we asked what their data retention policy was, to which they responded “we retain everything.” As part of their GDPR readiness plan, they must now sort through all that data and delete datasets for which they have no legitimate processing grounds.
So, is data still the new currency? To learn the answer, watch the replay above, or click here to view it on our BrightTALK webinar channel.