With the General Data Protection Regulation (GDPR) deadline quickly approaching in May, many organizations are scrambling to get their customer information systems in order to meet the requirements. Any company that collects and processes the personal data of European citizens and residents—whether it is names, IP addresses, photos, videos, health and biometric info, or other types of data—will be impacted.
As specific measures for the storage and treatment of personal customer data are subject to GDPR regulations, compliance requires a strong information governance foundation among global enterprises. This ensures that they can identify where personal data exists in their systems and assess how to mitigate the associated risks. It also allows companies to leverage the power of their data beyond GDPR compliance requirements and transform data into a valuable and ongoing corporate asset.
An effective information governance strategy includes setting, managing and enforcing data related policies and processes – essentially how a business collects and uses data. To set themselves up for sustained GDPR compliance, enterprises can implement key best practices for executing a fool-proof information governance strategy to protect sensitive personal data and maintain compliance with all GDPR articles.
Take Stock of Your Data
Adhering to GDPR compliance requires that organizations have a clear understanding of where their customer and personal data resides and what it contains. For examples of specific regulations, organizations must adhere to GDPR principles relating to personal data processing (Article 5), ensure right of access by the data subject (Article 15), act on subjects’ right to erasure or right to be “forgotten” (Article 17), and properly process personal data requests (Articles 29 and 32). They must also notify any personal data breaches to a supervisory authority (Article 33) and communicate any personal data breaches to the data subject (Article 34).
To meet these requirements and begin establishing an effective information governance initiative for GDPR compliance and beyond, enterprises should first take an inventory of all customer data and determine the state of it. This can present a major challenge – particularly with customer information - because data is literally everywhere. It may be structured or unstructured and located across multiple cloud and on-premise IT systems. A proper and exhaustive assessment of data systems will be needed and can be accomplished with the help of technology.
Centralize Information Governance Processes
Once organizations have a clear picture of what customer data exists and where it is stored and located, they should take stock of how it is being used. Often times, organizations have been collecting customer data for years but have not determined the exact purpose or use for it. With the introduction of GDPR, they must now declare the data’s intent and be able to remove it if needed (Article 17). Control over a person’s data is shifting back into the individual’s control, and businesses must establish a centralized way of handling these requests quickly.
A centralized information governance initiative can also help ensure that customer data will be handled in a lawful manner for the long term (Article 32 – Security of Processing). This strategy validates the location of specific customer data as well as establishes standardized policies around obtaining proper agreements and consents from customer. This includes developing a customer notification system and ensuring proper bi-directional communication with individuals based on their preferences. Transparent communication around customer data is paramount.
Besides establishing these data-centric policies, companies should take the time to educate their staff on proper execution with automation and with a proper methodology for compliance. An enterprise’s Data Protection Officer and key data stewards should be able to centrally manage all information governance policies and track remediation measures for any breaches. Once a breach is detected, organizations will now have 72 hours to notify the customer of the breach (Article 34), so having the ability to automatically recognize the breach and report it properly (Article 33), identify the exact source/location of the data, and determine the proper reconciliation steps will be vital.
Establish Data Quality from the Start
Another key success element for GDPR compliance is establishing data quality from the get-go, including confirming that all customer data is accurate and up-to-date. A common problem is that customer name variations can cause duplicate data records. For example, a customer named Bill Wilson appears this way in one record but in another may appear as William Wilson or even a variation of either one along with a middle initial. While this may seem trivial, if the individual has requested to have their data removed via GDPR regulations, the company may inadvertently be keeping unlawful personal data if they only delete the data from one of the three customer records. In this case, they would be considered non-compliant and subject to heavy penalties.
Most organizations have adopted practices for collecting customer records for years, but with the new GDPR regulations, they are now being held accountable for how they store and use that data as it pertains to European citizens. Fortunately, an information governance initiative can help them streamline data collection, usage and deletion policies to align with regulations, as well as establish centralized protocols for handling breaches. A key added benefit of getting customer data right for GDPR purposes is that companies can apply the same data quality rigor and policies to other areas of the business—helping them achieve compliance for other types of industry regulations and achieve better business results. They can also utilize their information governance programs to increase overall growth and efficiency, as well as create new opportunities for competitive advantage.