Compliance officers are hearing more and more chatter these days about the European Union’s impending new General Data Protection Regulation (GDPR), coming into effect in May 2018.
Rightly so. The GDPR is likely to be a transformative experience for many businesses dealing with personal data.
For all practical purposes, the GDPR’s reach is global, including the Philippines, including the companies handling European data. The potential penalties for noncompliance are enormous. The procedural challenges to achieve compliance are huge, same as in the Philippines where the implementation of the Data Privacy Law has commenced already.
And the appetite for tough enforcement of the GDPR is high among regulators and the public alike, because of one simple fact: companies keep screwing up data privacy. Why is GDPR compliance so daunting? Because it’s about more than data privacy alone. “Compliance” with the GDPR is really about empowering your customers to exercise a set of rights the European Union grants to its citizens.
Those rights allow EU citizens to control information about them on an ongoing basis. For example, not only must a company obtain consent before it collects personal data about a customer; it must allow that customer to revoke consent whenever the customer likes. Customers also have the right to see information collected about them; that implies some process to grant access. They have the right to specify where data collected about them is stored; that requires visibility into your data storage practices.
And, yes, you still need to keep all personal data secure; and meet daunting breach disclosure requirements when (not if) customers’ personal data is stolen somehow. This is different in the Philippines? No. That’s the reason why every organization here also needs Data Protection Officers (DPO). Do you have one already? Have you informed the National Privacy Commission???
If upholding those rights is the goal, then the first step toward compliance is analyzing your business processes to see how those processes do—or don’t—achieve those rights. Ideally, your organization has already begun that assessment. It’s also crucial to ask: are we involving the right people within our enterprise, so that assessment is useful? And are we asking the right questions?
For example, your chief information security officer (CISO) should certainly be involved in assessing data storage risks. But if your company has easy processes to
let employees store data online (collecting the birth dates of clients’ children,
for example, and tucking them away in a customer relationship management
application)—then you might need to involve the head of sales. That person knows
how the business process truly happens; you and the CISO know where the compliance
risks within that process are. The challenge for compliance officers is to repeat that cycle again and again, working your way through all processes that might somehow intersect with consumer data collected in your extended enterprise.
The Data Privacy law in the EU and the one in the Philippines force you to
reconsider how you handle employee and customer data, to ensure security and
consumer control are upheld.
It will be a sweeping exercise, intended to make companies consider “privacy by design” — that is, how to govern privacy risks in every step of every process, and impose appropriate controls given the risks. And they have little more than six months left to do it in the EU; you have basically no time left in the Philippines. If you need assistance regarding the process transformation, we have experts in data privacy protection and cybersecurity protection on call; contact me under email@example.com
By: Henry J. Schumacher