Like it or not, we need to figure out how to talk about GDPR.
I've been racking my brain trying to figure out how to make it fun. And while I'm not sure I've figured that one out, the clock is ticking, so we'd better dive in and make sure we're all on the same page about what initial implementation looks like. There will be strength in numbers as we collectively figure out how to practically and thoughtfully navigate the incredibly important data privacy interests this regulation advances.
Four Stages of GDPR Learning
Whether developed by Noel Burch or Abraham Maslow, the Four Stages of Learning model seems wholly relevant to the GDPR journey. As a refresher, the model outlines the following stages of learning:
- Unconscious incompetence: we don’t know what we don’t know.
- Conscious incompetence: we can identify what we don’t know and seek to learn.
- Conscious competence: we practice exercising the necessary skills, but it takes much concentration.
- Unconscious competence: the necessary skills come naturally.
At best, we are all hovering in the latter stages of conscious incompetence, even the regulators. We'll need experience and case law to really drive us into the next stage.
Related Article: What Marketers Should Know About the GDPR
The Role of the Processor
The GDPR defines a "processor" as, "a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller." The controller, "determines the purposes and means of the processing of personal data."
I view the world of the Processor from my current lens as COO at Wiretap, as well as in my previous role as CIO at Nationwide Insurance. Articles 28 through 30 are where we'll devote most of our focus. On the face of it, the articles make logical sense in the larger context of GDPR: of course a controller will own accountability for the actions a processor takes on its behalf. Therefore, the regulation must provide structures in which that accountability can occur consistently. This is particularly true in a world where the huge preponderance of enterprises are increasingly outsourcing processing activities in various forms to cloud and SaaS providers. And though the structures are in place, many necessary details remain outstanding in order to manage the practical implementation.
So as processors, what should we do to get ready and balance the equation of accountability and risk in the establishment of contracts with controllers? Further, what does due care look like in managing operations as a processor to ensure a reasonable chance at compliance?
Related Article: How Will the GDPR Impact Third-Party Lead Generation?
Proactive Steps Processors Can Take
I am not a lawyer, nor have I played one on TV (although I've talked to several), so this is certainly not a legal opinion, but I hope it helps cut through the legalese and get the highlights:
- Controllers own their own accountability for compliance: Accountability is not transitive, but be assured (and I've seen this already), controllers will try to rope processors into owning all financial accountability for an incident in their contracts. Be proactive. Work with your legal team to nail down language you can live with ahead of time and any fallback positions for negotiation. Remember: your contract has to be valid in the EU and it must outline your services in a way mere mortals can understand. (see Article 28)
- Be a good steward of the controller's data (which is often its employees’ data): This means you have to be part of the solution, not the problem. You need to ensure security, data management, audits and more. I think most companies have understood this for a long time, but the bar is definitely being raised. (see Article 32)
- Be sure you are in sync (practically and contractually) with your customers about your company’s use of third-party services. You need permission and the same type of agreements need to be in place with those processors. (see Article 28)
- If you process data outside the scope of your documented agreement with the controller, you become a controller for that processing. This seemingly simple clause could have huge implications on your obligations (beyond just being in breach of contract). (see Article 28.10)
- Your processing activities need to be documented, as do your privacy and security policies – all of which are auditable by the controller. I suspect it will be common practice for the outside auditors of controllers to require occasional audits of processors, given the material financial exposure GDPR creates. (see Articles 28 and 30)
- Be cautious and clear about ensuring compliance with any data transfer laws that need to be adhered to (and not all EU countries are the same on this). Remember, providing the ability to view the data constitutes a data transfer. (see Article 30)
- Proactively seek GDPR certification. Article 42 lays out the guidelines for this. It will spawn a lovely cottage industry and will quickly be the price of entry into the processor market.
Related Article: GDPR Isn't a Crisis for Email Marketers, It's an Opportunity
The Silver Lining
As we move into "conscious competence," we will all learn a lot and tweak how we effectively and practically meet GDPR standards. I'll close with a couple of really positive thoughts about GDPR as we work through the grind of implementation, the silver lining if you will.
GDPR is a good regulation with good intentions. Honestly, how can we argue with a premise that says we, as individuals, have a say in how our identity and data is used by companies? Getting yourself GDPR-ready will make you a better company and will open your organization up to larger markets.