• United States




GDPR is live! – Now what?

Jun 08, 20185 mins

GDPR rules are a hot mess. Get clarity by further identifying all your GDPR weak spots.

rules procedures manuals one way signs
Credit: Thinkstock

As of May 25, GDPR is the law in the European Union.  Any corporation that stores or captures private date of European data subjects must comply with the General Data Protection Regulation.  Of course, that’s no problem because your organization is already 100% good to go, right? 

Just in case that isn’t true, now is the time to take a closer look at key areas in which most organizations are vulnerable to a possible GDPR privacy breach.  While GDPR rules are indeed a hot mess, you can begin to achieve more clarity by focusing on some adjustments that will help you reduce risk. 

Scrutinize these functional areas for vulnerabilities and recommended GDPR fixes:


Marketing teams often store personal data for individuals as part of the effort to get the word out about products or services.  While that is allowed under GDPR, you will need to add some new checks and balances to this process.  Namely, it is important that individuals are notified that you are capturing and storing their private information – including email addresses – and that they have the option to have you remove this information.  The notification part can be done on the same webpage where you are asking for their information.  For the existing list of contacts, you will need to send them an email that notifies them that you are collecting their information and give them the ability to opt out, in which case you will then remove their data.  You will want to make sure that your customer and contact databases have the ability to remove customer data when they request it. 


If a customer has an ongoing relationship with you for support or continued payments, you are not required to remove their information if/when they request, because you have an ongoing business requirement, or a contractual obligation to maintain that information.  GDPR requirements are specific to individuals not companies.  As business contacts change within a company, you will need to modify the contact information, especially when requested by the person whose data you are storing.  If a contact person at a company requests that you remove their specific information, you need to do so without jeopardizing the corporate account.  Additionally, you will need to keep an audit log of the fact that you removed the individual’s personal information – which is a bit tricky.  How can you have an audit log that says, “I remove Pete Green’s information” without mentioning Pete Green’s name?  Well, the EU has finally determined that it is okay to mention Pete’s name in the audit log as the person whose personal details you removed from your main systems. 


It is vital that you have a Data Processing Addendum (DPA) to augment your vendor agreements.  This addendum needs to spell out the types of data that the vendor may be required to store on behalf of your customers and the requirements that you have in place that they need to follow.  Data privacy addenda have been all the rage over the past few weeks.  You’ve probably thrown away several from your email inbox.  The legal basis for this is that you can represent to your customers that you are holding your vendors accountable at the same level with which your customers are holding you accountable.

Human resources

Training is an important part of demonstrating GDPR compliance.  Your employees need to be trained on how to handle customer private data and you need to maintain records of who got the training and when.  There are several good resources available for computer-based training.  Check out Pluralsight or Wombat Security.  

Privacy isn’t just for your customers. Your employees have privacy rights also. The extent of these rights varies by country of origin in the European Union and may extend to expatriates living outside their home country.  It is important to put together a policy that incorporates your employees’ data as well as the vendors you might use to process employee information.  Remember to include companies that process health insurance, retirement plans, dental and life insurance, background screening, legal and other services you offer to your employees.  All these providers need to treat your employee data securely and in compliance with GDPR standards. 

Contracts need to be reviewed for the correct privacy language.  You have a responsibility to hold all your suppliers to the same standard of privacy protection that you provide to your customers, so you need to review with your vendors how they protect privacy, particularly if your vendors have the ability to see or modify your customers’ data.  Make sure you have the right language in your DPA and that you provide this to your suppliers, channel and product partners. 

Now’s the time to get control of GDPR!

This is not meant to be an exhaustive list of everything you may need to do.  It is more a discussion about some of the main areas where most businesses are vulnerable and some ideas about how to get compliant. The rules for GDPR compliance can be daunting and will need to be adjusted as companies find issues and loopholes.  The most important thing is to get started.  Just because the rules are confusing doesn’t mean the application of privacy principles needs to be.  With some simple adjustments you can make sure your company is well set for safeguarding privacy for customers, employees and partners.


Phil Richards has both breadth and depth of security experience. He currently is the Chief Information Security Officer (CISO) for Ivanti. He has held other senior security positions including the Director of Operational Security for Varian Medical Systems, Chief Security Officer for Fundtech Corporation and Business Security Director for Fidelity Investments.

In his security leadership roles, he has created and implemented Information Security Policies based on industry standards. He has led organizations to clean PCI DSS and SSAE SOC2 compliance certifications, implemented security awareness training, and established a comprehensive compliance security audit framework based on industry standards. He has led the organizations through GLBA risk assessments and remediation and improved the organizations risk profile. Finally, he has implemented global privacy policies, including addressing privacy issues in the European Union.

Transforming an organization requires focus on the objectives, clear communication, and constant coordination with executive leadership, which is exactly what Phil has focused on during his security career.

The opinions expressed in this blog are those of Phil Richards and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.