GDPR a year later: Five key takeaways and lessons learned
- Posted on July 2, 2019
- Estimated reading time 4 minutes
This article was originally published in Forbes.
Since the European Union's General Data Protection Regulation (GDPR) was enacted a year ago, a lot has changed in how organizations worldwide treat personal data. GDPR mandates that those that control or process data must take the proper technical measures and have the right organizational processes in place to protect sensitive personal data.
It may sound like a simple concept, but the actual execution of it has left some organizations struggling to ensure compliance. In addition, new challenges are arising from the increase in new local laws and regulations coming from member states that sometimes conflict or even undermine GDPR.
So, compliance hasn’t been easy by any stretch. But the good news is that many companies have used this opportunity to align with GDPR to increase their overall knowledge of data protection requirements and boost their data protection processes in general. As we look at the past year with GDPR, there are a few key insights about the experience to note, as well as some practical lessons learned.
1. Privacy and consent is the next big area of focus
When France’s data protection regulators penalized Google for GDPR infractions to the tune of $57 million, it was a shot across the bow that privacy will continue to be an area of close compliance scrutiny. Although the fine is considered small for a company as big as Google and is nowhere near the maximum of four percent of annual global revenues, it garnered a lot of negative press about how the company is not following proper data consent requirements. To avoid what is sure to be continuing and increasing fines and penalties, organizations must educate key stakeholders throughout the business that touch personal data about GDPR and their obligation to obtain consent. That doesn’t just apply to the current state of the business; any new and evolving technology, tools and processes must align with GDPR to avoid both hefty penalties and negative media exposure.
2. Vendors and suppliers are in scope
Many think of GDPR from an internal perspective, and rightly so. It’s vital that organizations understand their security posture as it relates to GDPR. But the scope of responsibility doesn’t end there. The onus is also on companies to understand the security postures of their vendors and suppliers as they relate to GDPR and data protection, which may include an evaluation of processes and contracts. Many organizations have a vendor management program in place, but the increased focus of outsourcing data processing makes it imperative and urgent that GDPR compliance is confirmed. Specifically, GDPR has five articles – Articles 28, 30, 32, 33, and 36 – that pertain to the responsibilities of third parties.
3. Strong partnerships across your business teams are important
If your enterprise has been operating under these new and evolving regulations, you’ve likely had a lot of communication with your legal and compliance teams to understand your posture and interpret the best course of action across your business. Use this opportunity to help you strengthen partnerships across your organization, including your legal, human resources and marketing departments. GDPR isn’t just an IT issue; full compliance relies on all stakeholders to work together to ensure data protection requirements are met.
Marketers, in particular, have had to undergo a shift in campaigning and data mining approaches and may need the help of legal, compliance or IT resources. Marketing should work together with other departments to make sure data is attained and managed properly, including customer consent and communication on how their personal data will be used.
4. A strong controls framework is highly recommended
Having controls and a framework that you can apply to all areas of your business will help ensure compliance. A good controls framework will check off all the essentials that relate to GDPR, including areas like data protection principles focused on fairness and accuracy, data subject rights that address access and portability, and any other requirements.
Whatever framework you land on to help with your GDPR compliance, it should meet both privacy and security requirements, address your organization’s most immediate and high-priority needs first and offer proof of compliance for auditors with detailed documentation.
A year ago, as the GDPR rollout was imminent, there was a lot of fear and anxiety across the business world, mostly due to uncertainty about requirements and obligations. Some of that has subsided as companies have increased their compliance IQ. In fact, one of the primary benefits of the GDPR rollout has been an overall greater awareness and knowledge of data privacy and protection issues — and a progression toward best practices.
From an organizational perspective, developing tribal knowledge about your unique GDPR compliance universe will help ensure a culture that adheres to strong data protection controls. A positive byproduct of this push to spread the knowledge about GDPR compliance within your ranks is that subject matter experts and champions of your cause eventually emerge. These advocates can help your company stay aligned with GDPR as your technology, processes and business evolve. Use this opportunity to use a standard framework and process to drive compliance across all regulations and certifications, not just specifically GDPR. This is an important step in maturing your overall security posture while driving efficiencies.
For many companies, ensuring GDPR compliance has been a significant amount of work. Many still have work to do, and some may have even struggled with it over this past year. Despite the growing pains, GDPR has helped to advance privacy and security around the world and steered companies toward a more holistic approach to data protection, which, in the end, will result in a safer, more secure environment for us to work and live in.