General Data Protection Regulation compliance date is less than 330 days from now. Infosec corporate marketing social media feeds are filled with “How to become GDPR compliant” or similar marketing messages. Our blog and feeds have regularly had GDPR related content and posts. All the organisations we talk with have some sort of GDPR project ongoing. This is a good sign. You should be aware though – There’s no silver bullet for GDPR compliance.
This is what marketers won’t tell you
330 days is a short time. Is it time to start panicking if you’re still trying to get your head around GDPR? I’d say “yes” as a rule of thumb, but it largely depends on your business. Our organisation will soon start collecting unambiguous consent when people sign-up for our newsletters, or submit a contact / demo request for processing of their data. Essentially, we’re asking for permission to send them a periodic newsletter, and allowing them to easily opt-out. For us GDPR doesn’t pose significant changes or demands externally and thanks for our ISO27k certification internal processes will be inline with the regulation. For a large, perhaps international, portal selling goods and services to both EU consumer and business customers the situation is different.
But don’t fall for the messages created by marketing departments of technology vendors. There is no silver bullet for GDPR compliance. Becoming compliant is 75% process work and 25% technology. Each organisation handling the personal data of an EU citizen is different and that means that technical solutions can help you in many areas of GDPR, but will not deliver you the 100% compliance in a form of a magical black box.
Identity and Access Management is a good example. IAM can certainly help organisations in many ways on their way towards compliance. IAM can unify how identity related data is managed (access, management, erasure, transport), and one of the hottest topic of GDPR, consent management, can benefit from IAM solutions giving greater self-service features for the citizens when granting, managing and revoking consent. But it’s a far cry of becoming fully compliant. Vendors such as Ubisecure can deliver technical solutions that can allow the organisation to concentrate on the process part and thus expedite GDPR related projects. Vendors can lessen the headache related to the implementation part. Each (and I do mean each and every one) organisation handling EU citizen data have to go through the other parts of the process by themselves, either using internal resources or getting help from external consultancies.
GDPR will affect you
One of the threats used in many marketing messages is the penalty clause. Yes, there are hefty sanctions, but it will be the first court cases that will set the tone how the regulation will be enforced. Lawyers specifically are quite vague when you ask their opinion, for a good reason – they don’t know yet.
You might think that this does not affect your organisation, or that your customers will not ask difficult questions, or make erasure or consent proof requests. This perception is false. First of all, if you store any identifiable data of a natural person, you have to be compliant. The citizens will not remain ignorant of their rights. The EU will launch an education campaign to inform the citizens about GDPR and their rights. You should be prepared to answer, in a timely manner, any data subject information requests – EU citizen asking “what do you have on me?”.
The most obvious targets like large commercial online sites are probably already on their way towards compliance. What about e.g. connected devices? Devices or apps where you have to register as a user / owner, will fall under the compliance requirements if the data leaves the device. My suspicion is that most of the manufacturers of smart devices are fairly ignorant when it comes to the requirements of the GDPR. The basic lack of security in general in connected devices is not a good indicator of GDPR awareness. Mobile apps are another matter – will the citizen be able to see all relevant information through the app, or does it involve a centralised portal? Can the citizen see and manage consent (if required) through the app?
Another aspect of GDPR involves employees. The biggest emphasis in the messages I’ve seen has been about the citizen, but requirements within the regulation also put formal controls how personal data should be treated, or rather accessed. Previous directives and local legislation have already put in place requirements on how personal data should be accessed and now it will be a part of the regulation. Personal data should only be available to those employees who have a legitimate reason to access it. A role based access model should be a good solution to ensure that employees with a valid reason can access the data.
Privacy will boost your business
Is this all bad news then? Absolutely not. The EU regulation forces companies towards Privacy by Design principle. The regulation grants greater power to the customers.
Privacy generates trust, and trust is the basic building block of business. Enhanced privacy and therefore trust will increase the user confidence towards online services thus generating new opportunities and revenue for companies with digital business solutions.
Our customers with our Identity Platform have started their path towards a unified identity and access management solution for external users (both B2C and B2B) even way before GDPR was on the table. Their path towards GDPR compliance maybe smoother compared to organisations with separate identity silos from different business units and multiple online services. However – you must first identify the gaps in your own processes and technology, and discover the problem areas and then search for suitable remedies. IAM can be one of the technologies helping you, but your own investigation will eventually show what you need. So in conclusion, there is no silver, or even a platinum bullet for GDPR compliance, but there are brilliant people and technical solutions that can help your organisation achieve it.
Subscribe to our newsletter (on the right) to receive news on GDPR, release of new whitepapers, industry news, technical announcements and more.
About The Author: Petteri Ihalainen
More posts by Petteri Ihalainen