It affects you now if you serve anyone in Europe. It will affect everyone later—but there are steps you can take now to prepare.
We have been fielding a lot of calls about the European Union’s General Data Protection Regulation and its potential impact on companies here in the U.S.
The short story is that GDPR will have an impact. As I explain below, the immediate impact is for companies who serve clients in Europe. This includes is a broad range of companies, such as Google, various social media platforms, financial organizations and many others. In the longer term, GDPR will affect all of us.
GDPR is a large-scale regulatory directive passed by the European Union Parliament in 2016. Once passed, there was a two-year grace period provided before enforcement of the regulation began. The two-year grace period expired May 25, 2018 and the regulation is now enforced.
“The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
To summarize, GDPR is a new standard for data privacy and personal data rights. In light of recent news, the subject of data privacy is at the forefront and ultimately people want greater care when it comes to their personal data. GDPR attempts to solve this problem.
5 Key GDPR Principles
Without getting into all of the specifics, GDPR is focused on five key principles.
1. Purposeful Design
- Taking greater care when designing solutions for the collection and use of data
- Data collection with a purpose; if you collect it, make sure you use it
- Elimination of redundancy; stop asking for data that you already have
- Deliberate third-party processing—who is processing what and for what reason
- Term of data records—how long do you store data and for what purpose
2. Data Management
Organizations must have a more granular understanding of the data they collect. You must document and track the data lifecycle from collection point to processing path to storage to data updating and ending with deletion.
Organizations of certain size must designate a data officer; smaller organizations do not have the requirement but must define who will be responsible to manage data in their organization.
3. Transparency and Control
Companies are now responsible to be more transparent with the data process. The process must be communicated in easy-to-understand language that explains the purpose and use of all data collected.
Companies must also provide controls to the user to allow them to update, check on and delete data upon their request.
4. Limitations on Sharing
Data sharing is greatly limited and requires explicit language that describes the purpose and the pathway for sharing such data.
Sharing or selling data will require prior approval and responsibility to acre for and update those records will persist.
Wherever data language exists, the language must be written in a clear and concise language that can be understood by non-lawyers and non-database engineers.
While much of this will feel like a burden, and many will not be directly impacted by the regulation, the concepts are important and timely. As I write this, Mark Zuckerburg is testifying before congress about data privacy. This issue is in the forefront of peoples’ minds and the fallout will be great. While it’s unclear if new regulations will be put in place quickly under our current administration, I can assure you data privacy will be coming.
What to Do Now
Given the uproar and potential PR impact, I would suggest getting ahead of the game. Most of these practices are important. You should consider leading the charge to transform how you manage your client’s data.
First, let me say we have expertise in this area and are happy to help. But if you are looking for some ways to get started:
1. Build a data inventory
What do you collect?
Where do you collect the data?
How is data collected?
What purpose is the data collected for?
Where is the data processed?
Where is the data stored and for how long?
If a data record changes, how is it kept up to date?
2. Review your language, terms and conditions, and contracts
Are your data policies clear?
Are data terms spelled out?
3. Build a data team and policies
This can be outsourced or insourced.
Build processes for the complete data lifecycle and workflow.
Manage the change of those processes.
Field calls and requests.
4. Find a platform to govern and manage
We have a platform as do others.
This will be too complex to manage without a platform to support you.
There are deeper questions and more detailed steps to take but this is a good start. Even just taking some time to reflect on these will put your credit union steps ahead and going in the right direction for the future.
Chris Sachse is CEO of CUES strategic provider for IT governance technology Think|Stack, Baltimore.