Consent management. The right to be forgotten. The data privacy impact assessment. For companies focusing on GDPR, these have (hopefully) become familiar terms.
They are among the well-known requirements that help make up this complex regulation and are usually the first to be cited when a company is asked about its compliance to it. But the GDPR is a long document with 11 chapters and 99 articles, which deal with a wide range of such complex topics as joint controllers, the designation of a data protection officer, the transfer of data to third countries, dispute resolutions...you get the idea.
As the effective date of May 25, 2018 looms for this rule, there are bound to be gaps in compliance and perhaps outright mistakes in interpreting the guidance. It would be understandable if you fall prey to this, the law is not only very broad but there are few authoritative sources that provide all of the information necessary for compliance, according to Dimitri Sirota, CEO of BigID.
As a result, he says, “We are finding that companies are cherry picking what they think is important to their operations and focusing on that first.” While this strategy may seem logical, it also leaves companies open to numerous compliance vulnerabilities.
CMSWire's Erika Morphy, spoke with experts to find out where some of these hidden areas of risk could be.
Related Story: What the GDPR Will Mean for Your Bottom Line
You Didn’t Cover All of the Data That is Addressed In the Regulation
Most organizations have three types of data, Kevin Gibson, CEO and chairman of Hanzo says, structured, unstructured and web data. “You have to search all three forms. If you search structured databases for personally identifiable information, but not unstructured and web data, you have no solution,” he says. According to him, if you aren't covering all the bases you’re at risk.
The range of data that fall under GDPR can seem astounding, according to Hyoun Park, an analyst at Amalgam Insights. “Things such as social media posts, metadata, pictures of yourself or your profile or your family, your IP address, the geographic location where you might have accessed something if you are using a mobile device — all of this is now subject to the protection and management of GDPR,” he says.
You Didn’t Adequately Comply With the Purpose Limitation Principle in GDPR
The regulation attaches restrictions to data that is only to be used for a specific purpose, explained Andrew Burt, chief privacy officer and legal engineer at Immuta. Not only do you have to ensure that the data is used in those specific circumstances only — but you also have to be prepared to demonstrate that compliance to regulators, he says. “You have to show that you have kept track of that compliance throughout the chain, from collection to use."
Related Story: 5 Experts Share Advice on Preparing for GDPR
You Can’t Demonstrate Compliance to Regulators and Consumers
Indeed, this theme of being able to demonstrate compliance to regulators can apply to almost all aspects of GDPR. For instance, companies are working towards compliance for the overarching principles in GDPR — such as consent and the right to correct data — and many should be able to achieve it, according to Sirota. Where they might fall down, he cautions, is in the demonstration of this compliance. “Providing a single screen or something similar from which you can generate reports for the regulator or lawyers or the individual is going to be a challenge for companies, he says.
For some companies, however, the actual compliance is proving to be tricky, he added. “Under GDPR companies have to be able to account for all of the data belonging to every individual. It is very challenging because traditional technology for data discovery doesn’t help you find an individual’s data. It wasn’t designed for that," says Sirota. Instead, this was designed to find, say, payment data or a Social Security number — in the U.S. that is. It is not necessarily equipped to find all of the data that belongs to an individual; data which likely resides in many different siloed databases and applications, he warns.
You Can’t Demonstrate You Have Consent For All the Data That You Have Collected
Think of all the ways you have collected data on an individual — through a website or from a payment data card or data gathered at checkout at a retail store. Even assuming you have managed to find all of this data the trick will be demonstrating there is consent to each corresponding piece, Sirota says.
You Didn’t Truly Delete the Data as Required Under the Right of Erasure
The idea is that a customer has the right to have any of his or her data deleted — completely wiped out — from the company files. The problem, Park says, is that this will not be easy for companies that have used traditional data management strategies, which are based around archiving data — not deleting it. “The idea of deleting data will be a challenge as it is counter to most data retention strategies to date. You can’t just put data in a vault where it will remain forever. You have to be able to get that data out of the vault and then actually delete the records associated with a customer," he says.