Blog, Enterprise Risk Management, Governance, Risk and Compliance, Integrated Risk Management, Risk Management, Technology

Where do you stand on GDPR?

01
Jun

Some in the world recently awoke with a shock to the General Data Protection Regulation (GDPR) deadline that came to pass on 25 May. Even though the change has been on the cards for a while, only as the law came into full effect did many companies realise they are impacted by this new regulation – and even if they weren’t, it’s an apt opportunity to get their general data compliance in check.

But how can an organisation go about this? Many of the answers reside in software platforms which we provide and support at thryve. But before justifying that statement, let’s first look at what companies need to do.

GDPR’s obligations

To briefly summarise the impact of GDPR: if a company ever engages with an EU citizen’s private data, they are subject to GDPR. This means that any company that does business with the EU in any form is likely required to comply. But even if they don’t, GDPR is similar to other emerging data regulations and a good benchmark for future compliance. Let’s look at its requirements:

  • Accountability: There is no passing the buck – a company is responsible for implementing measures that puts and keeps it in compliance with regulation, both internally and among third parties.
  • Fairness & Transparency: Personal data must be handled in a lawful, fair and transparent way, from the view of both the user who provided their data and the regulator.
  • Data minimisation: The personal data being collected must be specific to the purpose. For example, you can’t request a date of birth if you have no good reason to do so.
  • Purpose limitation: Similar to data minimisation, the purpose for the personal data must be defined and its use must stick to those limitations.
  • Data deletion: Users have the right to be forgotten, and in addition, the personal data should be deleted once it’s fulfilled its original purpose.
  • Data accuracy: The collected personal data must be accurate and that accuracy should be maintained – the records can’t be out of date.
  • Security: All reasonable technical and organisational measures must be in place around security, from the systems used to staff training.

How to tackle GDPR

Taking care of GDPR compliance falls into two areas: technical measures and business measures. This is where many companies make mistakes or become disheartened. But they are not as formidable as they seem, providing the right solutions are put in place. Let’s break them down into the two groups:

Technical Measures

  • Technical data management: Organisations must track the personal data they collect, including how it is stored, how it is packaged for different parties, and ensuring the data is deleted after a certain period. This includes handling requests for information from the users who provided the personal data and being able to comply with their requests to remove their data.
  • User Authentication: Access to the personal data must be authenticated and may need services such as two-factor authentication (such as a one time pin). This includes where the data goes, such as websites outside of the EU, and may require a whitelist of addresses.
  • Logical access control: GDPR rightfully assumes that unauthorised people will try to access the personal data and thus calls for several measures. This can include encrypting the data both at rest and during transmission, event monitoring for any strange activities, and database field audit trails to manage archived data for auditing purposes.

    • These are formidable technical requirements and, if a company doesn’t have an environment that is flexible and easy to manage at scale, its GDPR project can grind to a halt.

    All of the above are addressed through the Salesforce.com platform, which thryve supports. Since Salesforce is highly reliant on data, it has developed robust toolsets and remedies that already tackle numerous requirements around data. In addition to this, it has developed systems that specifically match GDPR requirements.

    Organisational measures

    Yet the bulk of GDPR’s demands aren’t technical. They also expect the processes and culture of the organisation to fall in line:

  • Security governance framework: There must be a security governance framework in place, similar to what is required in an Iinformation Security Management System or NIST standard, dictating policies and procedures around security assessment and responses.
  • Systems and process inventory: An inventory of whatever personal data is being stored, as well as supporting systems and processes, is one of GDPR’s baseline requirements.
  • Internal audits: The organisation has to be capable of hosting internal audits of the user data and how it is being used.
  • Issue & Action management: There must be clear guidance on how issues, such as abuse or user concerns, are tackled.
  • Contracts & Policies management: GDPR makes a considerable impact on contracts, including how they are stored and authored. This includes interactions with third parties, which by their indiscretions can implicate the organisation.
  • Ongoing data sharing: The day-to-day use of personal data must be managed and clearly defined.
  • Data request management: Since a user can demand their personal data from the organisation, it must have the processes in place to accommodate for this.
  • Vendor risk management: GDPR extends to the third parties an organisation engages with, including those that sell services to it. If personal data is ever placed in the hands of a vendor, such as for storage purposes, it’s on the organisation to ensure that vendor is also compliant.

An astute business eye will spot that the organisational measures are rooted around solid policy, process and governance practices. This is daunting, as it will involve bringing the many parts of the business in line with the required measures.

Using a risk and governance platform such as Riskonnect can make this quite seamless. The fact is that companies in general struggle to get elements such as governance implemented under control. GDPR simply adds fuel to that fire. So platforms such as Riskonnect, which is built on top of Salesforce, have been addressing these issues for quite some time now and could see GDPR coming from a long way away.

Why platforms are the key

This might all sound like an elaborate pitch to sell some software. On one hand it is, but because these platforms work. Yet the larger point here is that GDPR is a multifaceted challenge and it can only be tackled by putting the right tools in place for the right people to use.

Traditional software demanded too much upfront. It required hefty implementation costs, expensive licenses and the risk that once in, it starts to grow stale and ineffective. But this approach was usurped by modern platform systems.

A platform system often deploys from the cloud, which means it benefits from the scale of development and security that the platform invests in. One company can only invest so much into its software purchase, but a platform that serves many customers has considerably more heft and experience to address key problems.

Such platforms also scale as demand calls for it. A simple proof of concept can be implemented in a matter of weeks or even days, first addressing a small footprint of core users, then expanding as the need arises. The fundamental difference between traditional software and new platforms is that with the latter the organisation maintains control over cost and implementation, without the long waiting periods before it sees results.

Salesforce and Riskonnect are blue-blooded members of the platform world, serving everything from medium businesses to global enterprises. They take a lot of the development and planning pains away, leaving the organisation to focus on the problems it wants to solve.

GDPR is just an event, albeit a very big one. It’s not introducing anything new that companies have wanted or needed to do already. But it’s now putting pressure on the change to happen, a response to the maturing world we live in. Platforms such as Salesforce and Riskonnect, supported by thryve, have grown with that maturity. They represent the solutions to the data age’s challenges and help organisations get back in charge of their risk, compliance, process and governance environments.