Thanks to Michael Huckabee, Executive Director, SAS Global Data Management and Dan Soceanu, Senor Solutions Architect at SAS for their presentation "Supporting GDPR in a Data Driven Organization."
The purpose of the presentation was to help companies understand the General Data Protection Regulation's (GDPR) impact on companies beginning May 2018. This is the most sweeping privacy law to date and no matter where your business is located, you have liability if you store or process any EU consumer data, such as customer or employee data.
Under the GDPR, you must be able to prove that you know where personal data is, and isn't, across all your systems and lines of business. You need to know who can access the data, as well as when and how they do it. You'll have to safeguard against breaches. If you experience a breach, you must notify authorities and consumers within 72 hours. then rectify resulting issues.
So what happens if you don't? Any organization that does not comply could be fined up to $22 million or four percent of their global annual revenue, whichever is greater.
Hearing this on the heels of the WannaCry breach, which affected the NHS, made the regulations and the fines seem laughable. The NHS was still running Windows XP two years after Microsoft was no longer supporting it. I'm pretty confident the NHS has no clue where all their personal data is.
The SAS executives are working with Fortune 1000 companies to help them identify, govern and protect personal data to ensure their clients are taking appropriate measure to demonstrate compliance including: data inventory, understanding personal data and PII, and the need to get consent on an ongoing basis.
Any organization that performs significant marketing in Europe will be under extra scrutiny. Safe harbor has been declared invalid, and Privacy Shield Certification is not sufficient for GDPR.
The challenges for any organization will be:
Overview of all data services and knowledge of where the data resides.
Level of risk for each data source.
Ability to report where personal data is located.
Put processes in place for tracking and protecting data.
Have documentation and audit trails.
While GDPR enforcement will be challenging given their lack of resources, the consensus in the presentation was they will find one or two egregious violators of the regulation and punish them harshly to scare everyone else into complying. No more paying $50,000 for a bogus security certificate for your insurance company.
Companies should take a five-step approach for sustainable compliance:
Access to personal data should be adequate, relevant, and limited to what is necessary in relation to the identification of an identifiable natural person.
Identify how much personal data you have with regards to identifying and individual. You must be able to link disparate personal data in the event someone wants to be deleted from your database.
Govern by putting in place a formal orchestration of people, technology, and processes to track and manage data access, acquisition, analysis, and retention.
Comply by safeguarding personal data with anonymization, pseudonymization, and encryption.
Audit and be able to notify any personal data breaches to the supervisory authority no later than 72 hours after becoming aware of the breach.
Follow the "rule of reasonableness" to show enforcers you are taking GDPR seriously and trying to comply.
What steps are you and your organization taking to prepare for GDPR?