How to Make Yourself Care About GDPR (and Do Something About It)

Dan Sigrist & Chris Riley

Advice for CIOs, CHROs, DPOs, CMOs, and anyone whose department touches data.

On June 7, HOSTING and Strong-Bridge Envision hosted a live executive roundtable in Denver called The GDPR Effect. Through facilitated discussion, leaders in IT, compliance, legal, and HR discussed how their organizations are approaching the new regulations. In the process of developing and hosting this roundtable, we realized just how many misconceptions and points of confusion exist across functions and industries. Our goal with this article is to help you understand why GDPR is relevant to you – even if your operations have nothing to do with Europe.

Are you one of the 23% of business leaders that are unaware of GDPR and the new data protection laws? Click here for background detail.

“I just won’t do business with Europe.”

Chris Riley, Chief Information Security Officer at HOSTING and an expert in compliance, had a surprising conversation with an executive client on the topic of GDPR. After asking the client what steps they’re taking to comply with new privacy standards, their response was that they simply wouldn’t do business with EU citizens to avoid having to implement compliance measures.

This type of opt-out approach may sound attractive – after all, the easiest way around a problem is to avoid the problem all together. Unfortunately, this approach is not a viable long-term strategy, and complying with GDPR early will set up companies for the new wave of data privacy standards that are inevitably coming our way.

In this article we explore the data collection trend that makes GDPR necessary, the reasoning for getting ahead of these regulations even if you don’t do business with Europeans, and our recommended approach for beginning your GDPR journey.

The case for GDPR: Your data in aggregate

If you look at the past 15-20 years of data breaches, you’ll see a slow yet significant change in the type of information being compromised. “In the early 2000s, hackers were stealing credit card information. It then evolved into identity theft, and in more recent years, data is being stolen to blackmail and extort in ways it hasn’t been used before,” says Dan Sigrist, Technology Enablement Director at Strong-Bridge Envision. “Today, we have legitimate companies, such as Facebook, pulling data from multiple sources to advertise to you in a more effective way. Hackers have realized the same thing – by pulling personal data from multiple sources, a disturbing amount of personal detail can be pieced together so that hackers have more sophisticated ways to take advantage of people to get what they want.” This issue was once again brought to the forefront by this week’s startling news of 92 million MyHeritage DNA accounts being hacked, thus “exposing personal medical histories and biological relationships.”

In short, we need to stop thinking about our data as separate points, but rather in the collective. For the past decade and a half, consumers have willingly offered up personal information to companies – email addresses, web browsing habits, purchase history, loan applications, health and medical records, etc. This isn’t necessarily concerning if the data is kept in appropriate silos. What is concerning, though, is the complete profile that can be formed about anyone simply by combining two, three, or more of these sources. Add in the surge of Internet of Things (IoT) which passively collect data such as when your lights are turned on and off, what’s in your refrigerator, and at what temperature your house is kept. This data reveals when you are home, your sleep habits, your diet…and when combined with data about your religious and political beliefs, how much money you make, the status of your health, and how to get in touch with you, it makes you a vulnerable target. When you look at data globally, it makes sense to put control of that personal information into consumers’ hands.

Not only have companies been collecting this data for years – they have been doing so with no formal requirements to protect it. In 2017, ten thousand businesses were asked what steps they were planning to take in the next 12 months to further secure IoT data, and only 37% said they plan to implement new data collection, retention, and destruction policies. “That’s a big gap of people who don’t have a plan,” says Sigrist.

Why opting out of business with Europeans isn’t a good long-term strategy

There’s the obvious opportunity cost of refusing to hire, market to, or partner with any EU citizen. But for companies who see the cost of compliance as greater than this loss, there is more to consider.

“States like New York, California, and Alabama are already enacting laws around PII [personally identifiable information] and how to appropriately handle it,” says Riley. “It’s not just the EU.”

As more state-level data regulations emerge, companies will be forced to handle their data under different standards depending on the data’s origin point. Handling granular and disparate requirements would be a larger burden than adopting a new global data standard that satisfies both GDPR and state-level laws.

Many organizations believe the legal process will take years to get to them – they can fly under the radar, and even if they’re caught, what would the penalty be? We’ll get more into the detection in the next section, but Riley brings up a good point regarding penalty: “The school of thought is that the reputational damage of a global announcement of your organization’s mishandling of information is worse than the fines that will be imposed.”

I’m sold, but overwhelmed – where do I start?

The best place to start is with an assessment of your current data structure and gaps. When Riley began the GDPR compliance process at HOSTING, he examined the entire customer dataflow, which included the following questions:

  • When does consumer data get collected?
  • What is collected?
  • Where is it stored?
  • What are the policies around securing it?
  • How does it get destroyed?

Your organization likely has internal subject matter experts who can inform you about the data lifecycle, so start with them. “We started with a small team and had a conversation about where the data was across the board,” shares Riley. “Over about four meetings our group grew from three to 17, and that was the aha moment for me. The data was in our marketing system, legal contracts, HR, and more.”

After gaining an understanding of your customer data’s internal lifecycle and surrounding procedures, you’ll need to do an audit of the external entities touching it. “This is the first time a compliance framework has put the onus on an organization to qualify their partners,” says Riley. “That is truly a business impact across the board.” Your vendor audit should include these questions:

  • Which contractors and partners have access to our data?
  • What parts of our data are they using?
  • How are they using it?
  • Do they have access to more data than they need?

We mentioned earlier that some organizations feel they can fly under the radar without being detected. Riley and Sigrist agree it is unlikely the GDPR police will be knocking on your door to make sure you’re compliant. However, the GDPR language has built in a couple of “triggers” that would raise issues to the top via consumers. Two of the big ones are:

  1. Data on demand. Any EU citizen (this includes dual-citizens) can ask your company for every piece of data you have about them. If an organization is unable to produce that information, the individual can report the company for a violation. Not only should you have an ability to produce information at an individual level, you must also have the ability to destroy it upon request.
  2. Cookie transparency. Websites that use cookies that can identify a user must disclose this to their users. Furthermore, it is no longer acceptable practice to use the pop-up “accept cookies” dialog box. End users must now specifically accept or reject (default) the cookie policy of a site and have access to change this designation at any point in the future. Work with your legal department to make sure your privacy policies are updated with cookie collection disclosure if that applies to you.

How to manage (and minimize) organizational impact of these changes

“We had two years to prepare for GDPR, and people still don’t feel ready,” says Riley. “That’s because change is hard. But if you are ever questioned on GDPR, you will have to prove diligence in protecting data, and part of that is having a change management process.”

As you implement changes in data collection, storage, usage, and destruction, consider the impacts to people and processes to strategically manage change. It is important to note that GDPR is not a patch, but rather a foundation on which to build your business practice.

When beginning your GDPR journey, “the tendency is to slow down and put a two-year waterfall plan in place,” explains Sigrist. “But compliance is actually an excellent place for properly executed agile project management.” His reasoning is that, much like GDPR and future regulations will be ever-evolving, your data privacy structure must be built with flexibility. “You can’t just say that you addressed your structure last year and never have to look at it again,” says Sigrist. “You must continually reassess, and if you hit a certain risk level, fixing it should take priority over other projects.”

Riley adds that it helps to work with an expert on this transition. If your organization does not have the internal human capital expertise in data privacy or change management, you would benefit from finding the right partner to help you on your journey.

A final consideration is cost – you may face peers questioning how much it will cost to become GDPR compliant, and if the price of any penalties would be worth paying vs. fixing the system. By taking an agile approach, you can change this mindset by reframing the scope into smaller agile assessments. “This is an iterative cycle that doesn’t have an endpoint,” says Sigrist. “I would ask businesses not to think about compliance legislation, such as GDPR, as a project, but rather as a journey to improved security, increased business stability and higher levels of customer satisfaction.”

GDPR brings many questions, and organizations are looking for the answers to guide their next steps. Sigrist predicts that when the next big data breach happens, the first question asked will be whether there are EU citizens in the affected user base. We hope your organization never undergoes such a breach, but if it does, whether or not you were diligent in your privacy standards will be the biggest difference maker in the outcome you face.