Recent surveys reveal businesses around the world don’t know if they’re compliant with the EU’s General Data Protection Regulation (GDPR), regardless of the fact that the deadline is less than two months away. If this continues, there will be no shortage of GDPR compliance violations and fines.
If your organization would like to avoid being on the GDPR naughty list, you must avoid these six pitfalls.
Ignore that whole data privacy thing
Yes, it would be easier if you just had to protect your EU customers’ personally identifiable information (PII). Traditionally, data security has been the priority; who had access it or where it’s stored were secondary. But GDPR isn’t a data security regulation, it’s a data privacy regulation. By requiring corporations to surrender EU customer data it to its rightful owner or delete it altogether, the corporation must know where this data sits on the network, who has access to it and what’s being done with it. Ultimately, businesses won’t get partial credit for demonstrating EU citizens’ PII is secure. It must also be private.
I can’t really forget you
Even if you haven’t used your mother’s china in years, you wouldn’t throw it out, would you? Similarly, businesses are hesitant to permanently delete any data, most notably customer records. Nevertheless, under GDPR, an EU citizen can request to have their records deleted (remember, GDPR is about data privacy) and the business holding those records must comply. Sometimes, however, this Right of Erasure or Right to be Forgotten contradicts existing laws. For example, EU banks must keep customer data for seven years. There are also certain situations (i.e., not laws) that could require a business to keep customer data despite the customer’s request to delete it. These include scientific or historical research that benefit public health or the common good. But these are exceptions to the rule. If a business can’t be bothered with locating and deleting a customer’s records and tries to use one of these loopholes as an excuse, its lawyers better be able to convince a judge of this need. Otherwise, it’s fine time.
Actually, I forgot you, but then found you again
So, you think you have the process around forgetting someone figured out. But what happens if that person comes into your system via another channel? Consider a business that has an EU citizen’s PII in a CRM system. What if that person registered for a company newsletter? Or posted a picture of themselves on the company’s Facebook page? Email addresses and photos qualify as PII, and while they should be deleted to accommodate a Right of Erasure request, they are likely to get overlooked. Ultimately, a business will have to look in lots of different systems for PII that needs to be deleted; limiting the search to the usual systems like a CRM or ERP database won’t suffice.
Being selective (or cavalier) in the customer data you choose to segregate or delete
Data that qualifies as PII under GDPR may surprise you. Of course, a customer’s name, email address, credit card number, Social Security number or passport number all count. But so does genetic or biometric data that can uniquely identify a person, including photos, fingerprints, voice recordings or even signatures. Even a social media post or description of an EU citizen qualifies as PII. If businesses don’t know what data to classify as PII (and a recent survey revealed most don’t), they certainly won’t be able to locate, isolate, or delete it.
Failure to accommodate an EU citizen’s Right to Portability
Similar to the Right to Erasure, EU citizens can request and receive all of their personal data from a business. The data must be delivered “without hindrance,” free of charge, and in a format that is easy for the them to access and use. Typically, the reason for this request is because the customer is terminating their relationship with one business, e.g., a doctor or bank, and needs to transfer their files to a new business. Before GDPR, a business might not make this request a high priority and in some industries, it’s common for the business to charge the customer for this service. With GDPR, however, the business must comply or risk a compliance violation.
Don’t report a breach within 72 hours
Public outcry over data breaches is typically split between the fact that a breach occurred at all, and that the business waited weeks—even months—to report it. Identifying, patching and disclosing a breach involves input from lots of parties: cybersecurity and forensic consultants, lawyers, the board of directors and crisis communications professionals. Unless a plan is already in place, this process can easily take several weeks. This reasoning however won’t find a sympathetic audience among the Supervisory Authorities, who are tasked with enforcing GDPR. Once again, GDPR is about data privacy, so if an EU citizen’s privacy has been compromised, they have a right to be notified as soon as possible. For a business to disclose a breach within 72 hours, it must have a high degree of confidence customer data has or has not been impacted.
The key to avoiding these GDPR pitfalls is knowing where your customers’ data resides in your network. The easier it is to locate your customers’ PII, the faster you can respond to a request to hand over the data or permanently delete it. And, in the event of a data breach, knowing where your customer data is stored will provide you with valuable insight into which records may have been exposed.