GDPR is live! – Now what?

GDPR rules are a hot mess. Get clarity by further identifying all your GDPR weak spots.

rules procedures manuals one way signs
Thinkstock

As of May 25, GDPR is the law in the European Union.  Any corporation that stores or captures private date of European data subjects must comply with the General Data Protection Regulation.  Of course, that’s no problem because your organization is already 100% good to go, right? 

Just in case that isn’t true, now is the time to take a closer look at key areas in which most organizations are vulnerable to a possible GDPR privacy breach.  While GDPR rules are indeed a hot mess, you can begin to achieve more clarity by focusing on some adjustments that will help you reduce risk. 

Scrutinize these functional areas for vulnerabilities and recommended GDPR fixes:

Marketing

Marketing teams often store personal data for individuals as part of the effort to get the word out about products or services.  While that is allowed under GDPR, you will need to add some new checks and balances to this process.  Namely, it is important that individuals are notified that you are capturing and storing their private information – including email addresses – and that they have the option to have you remove this information.  The notification part can be done on the same webpage where you are asking for their information.  For the existing list of contacts, you will need to send them an email that notifies them that you are collecting their information and give them the ability to opt out, in which case you will then remove their data.  You will want to make sure that your customer and contact databases have the ability to remove customer data when they request it. 

Sales

If a customer has an ongoing relationship with you for support or continued payments, you are not required to remove their information if/when they request, because you have an ongoing business requirement, or a contractual obligation to maintain that information.  GDPR requirements are specific to individuals not companies.  As business contacts change within a company, you will need to modify the contact information, especially when requested by the person whose data you are storing.  If a contact person at a company requests that you remove their specific information, you need to do so without jeopardizing the corporate account.  Additionally, you will need to keep an audit log of the fact that you removed the individual’s personal information – which is a bit tricky.  How can you have an audit log that says, “I remove Pete Green’s information” without mentioning Pete Green’s name?  Well, the EU has finally determined that it is okay to mention Pete’s name in the audit log as the person whose personal details you removed from your main systems. 

Vendors/suppliers

It is vital that you have a Data Processing Addendum (DPA) to augment your vendor agreements.  This addendum needs to spell out the types of data that the vendor may be required to store on behalf of your customers and the requirements that you have in place that they need to follow.  Data privacy addenda have been all the rage over the past few weeks.  You’ve probably thrown away several from your email inbox.  The legal basis for this is that you can represent to your customers that you are holding your vendors accountable at the same level with which your customers are holding you accountable.

Human resources

Training is an important part of demonstrating GDPR compliance.  Your employees need to be trained on how to handle customer private data and you need to maintain records of who got the training and when.  There are several good resources available for computer-based training.  Check out Pluralsight or Wombat Security.  

Privacy isn’t just for your customers. Your employees have privacy rights also. The extent of these rights varies by country of origin in the European Union and may extend to expatriates living outside their home country.  It is important to put together a policy that incorporates your employees’ data as well as the vendors you might use to process employee information.  Remember to include companies that process health insurance, retirement plans, dental and life insurance, background screening, legal and other services you offer to your employees.  All these providers need to treat your employee data securely and in compliance with GDPR standards. 

Legal

Contracts need to be reviewed for the correct privacy language.  You have a responsibility to hold all your suppliers to the same standard of privacy protection that you provide to your customers, so you need to review with your vendors how they protect privacy, particularly if your vendors have the ability to see or modify your customers’ data.  Make sure you have the right language in your DPA and that you provide this to your suppliers, channel and product partners. 

Now’s the time to get control of GDPR!

This is not meant to be an exhaustive list of everything you may need to do.  It is more a discussion about some of the main areas where most businesses are vulnerable and some ideas about how to get compliant. The rules for GDPR compliance can be daunting and will need to be adjusted as companies find issues and loopholes.  The most important thing is to get started.  Just because the rules are confusing doesn’t mean the application of privacy principles needs to be.  With some simple adjustments you can make sure your company is well set for safeguarding privacy for customers, employees and partners.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.