When I read articles documenting the percentage of companies fully GDPR compliant, I must admit my laughter gets the best of me. I have yet to read an article explaining what companies mean when they say they are “fully compliant”. I believe journalists must press companies to explain themselves before they can write a meaningful GDPR Compliance article. The author of an article should understand all the components of complete GDPR compliance and have some feeling for which components are the most significant in order to construct a helpful assessment of GDPR Compliancy. Below are what I consider to be the major components of a near complete GDPR compliance with some suggestions as how to determine if a company really is compliant in that area.
- Encrypt/Protect Personally Identifiable Information. (To me this has to be the central component of GDPR Compliance). Yet what does it take to be compliant. Names, Addresses, Birth Dates, Credit Card Numbers, Emails, Social Security Numbers, National, ID’s, etc. are obviously fields that can be exploited by hackers and need to be encrypted or otherwise made anonymous.
- To be compliant all these Personal Identifiers (and many more) must be protected everywhere in a company’s data environment; including office documents, PDFs, emails etc.
- How often does a company run Discovery if non-encrypted personal data has been re-included into their environment? Companies constantly add data from many sources which must be processed before it can be included in a company’s data environment. Sources such as IoT, Social Media and Third-Party sources. Protecting Personal Data is a 24/7/365 effort, not a once every quarter process.
- How often does a company decrypt personal data to perform Marketing and Business analytics? Do they use an environment that is Off the Grid for this purpose so that hackers can’t hijack the process or steal data while the process is running?
- How does a company conduct Point Of Sale Processing securely!? If they can’t answer the question, then you know they are NOT GDPR Compliant.
- Consent Processing.
- Does a company clearly state how the personal data collected by them will be used?
- Cookies are not valid consent!
- Does the Consent process allow interaction between the company and the citizen, bilateral communication and the ability for the citizen to qualify their consent; such as use this email account only, or this phone number only in dialog boxes or documents.
- Does the Consent Process allow the citizen to change their mind at any time?
- Does the Consent Process protect the data collected from citizens from mis-use by others?
- Right of Erasure.
- How can a company find all the information associated with a single individual? Imagine all the disparate sources a company would need to interrogate; Business Applications, Legacy systems, Documents, PDFs, emails, XML documents, many types of unstructured data. The list would be very long indeed. If a company has no Central Repository for data I find it nearly impossible to believe they have a process to grant a citizen their Right of Erasure.
- Can a company explain when processing a citizen’s Right of Erasure which types of data can be deleted and which must only be encrypted or sequestered as it might be subject to legal recall.
- Indirect Identifiers.
- They are seldom discussed because companies have such great difficulty discovering them in their environment. Indirect Identifiers can be comprised of multiple data fields found separately across many different files. What process would a company use to bring those fields together for remediation? Without a central repository to bring together all a company’s disparate data I believe it would be extremely difficult and improbable to identify these indirect identifiers.
- The process for discovery requires logically connecting multiple files by a variety of fields; in effect generating logical views of many different files. If a company doesn’t articulate their efforts to link disparate files, then most certainly they are not accurately discovering Indirect Identifiers.
- A reporting system in place when Customer Personal Data has been hacked to inform various Regulatory agencies requiring notification.
I certainly hope other experts and journalists respond to this article and identify what they feel are the main concepts behind GDPR and Other Regulatory Efforts worldwide and how well companies are ‘really’ achieving the goals of these regulations.
As a citizen my greatest fear is having my identity stolen (more than the two times my credit cards have been in the past 3 weeks) and suffering financial loss as a result. On occasion, I feel exploited by companies that seem to know everything about me, and I do fear their stockpile of information could be used by others to cause me harm in one way or another.
I would certainly like to reward companies that are making efforts and reaching a significant level of compliance with GDPR by giving them my business and Customer loyalty, and also suggesting to other citizens to do the same.
I would be pleased to assist any company reach fuller compliance by sharing my expertise, my experience with methodologies, technologies and frameworks that have promise in this battle with exposed personal data. It seems like a mystery as to how a company can become compliant, but with the proper direction it can be much closer to a successful Compliance than imaginable.
Companies must understand it will take technology to make any Regulatory Compliance Successful, there are just too many variables, such as the need to monitor the environment 24x7x365 and beyond the human capability to adjust scalability as can applications.