D-Day for GDPR looms large
We spent the day with Eugenia Buzogly, DPO for cloud security specialist Druva. And the subject on her lips? You guessed it – the imminent arrival of the GDPR.
According to recent surveys, many IT organizations around the world have yet to make preparations for the General Data Protection Regulation (GDPR), which comes into effect on May 25. Have they left it too late?
It depends on the type of organization and the scope of its data processing. You need to ask yourself, “What is our current practice with personal data? In particular, do we monetize it?” Although the GDPR will affect many organizations, I think the regulators will really be focusing their audits on those that actually collect customer or employee data and plan to do something with it, probably for commercial gain, that is not necessarily expected by those customers or employees. This, however, does not mean that companies in other industries shouldn’t worry about complying. They still do. It’s just less likely that they will get audited.
Can other organizations afford to relax?
They’re unlikely to be targeted by the regulators, but they should still undertake a review of the data they collect to ensure they are following good practice. For example, every organization processes employment data, so they should make sure they’ve made proper disclosure in their employment agreements.
What measures would you advise for companies that make data their livelihood, such as Druva?
As a data processor, we have to be responsible with our customers’ data – there’s just no way around that. We always have been, but now we need to document it the right way. Companies need to assess what they’ve been doing up until now. They will have been following a lot of existing regulations, including the EU’s 1995 data protection directive, so they’ll already have things like privacy and cookie notices on their website. Similarly, most global organizations will have some sort of data transfer mechanism in place that is already compliant. Having checked they’re already doing the basics, they should move on to the new requirements of GDPR.
Such as individual rights requests?
Yes, organizations need to know how to handle these. They include the so-called ‘right to be forgotten’, which will give citizens the ability to contact any organization within the EU and ask for their data to be deleted. Similarly, individuals can ask for their data to be collated and exported to a third party.
So just how easy is it to actually carry out these requests?
It’s can be very difficult, because data can be held in a lot of different places. The starting point is knowing exactly where personal data resides. It’s essential to be able to clearly identify how it is stored, accessed and used. Do you have proper consent for every type of data collected? Do you know the exact purpose for that data? It may take some time and effort to answer these questions.
What about risks from third parties?
You need to focus on running data protection impact assessments and vendor management. From May 25, you should have protocols in place that assess your processes and your products against GDPR requirements, and conclude whether they are high risk. Think about all the vendors you use and consider whether you have robust contracts with them. I’ve been through every vendor Druva works with and had them sign a data protection addendum that takes account of the GDPR.
To sum up, how can organizations that are behind the curve on the GDPR view it more positively?
The key is leadership from the board and executive management. As a DPO my role is to talk to our product team, engineering, finance, marketing and HR, to ensure all of them do things the right way. Whoever leads the process must have enough standing across the company to achieve buy-in. Once you have that, the compliance journey becomes a lot easier and can be a catalyst for business improvement.
Eugenia Bergantz is Director of Legal and Data Protection Officer for Druva, a US multinational offering – on a ‘software as a service’ basis (SaaS) – a single cloud platform that unifies data protection and data management for business critical data.