February 2020 Newsletter – GDPR

Introduction.. Addressing Compliance

Enforcement of the General Data Protection Regulation (GDPR) began in May of 2018. It was with the intention to strengthen and unify data protection for all individuals within the European Union (EU).  This regulation extends to and includes those businesses not based within but are transacting business within the EU. As an organization based in the US this is of concern to you if you have EU employees and clients. You need to pay particular attention as to how you collect, manage, and distribute data containing Personally Identifiable Information (PII). Personally Identifiable Information includes sensitive information in relation to areas like:

• Data Subject Access requests
• Right to be Forgotten
• Reporting data breaches
• Protection of Personally Identifiable Information (PII) and sensitive data

There is a AIIM research study titled “GDPR After the Deadline – Progress, But a Long Way to Go” released in 2018. The study found only thirty-six percent of businesses reported having a dedicated data privacy function within their organizations. The remainder either placed the responsibility with another role such as IT, Records Management, etc. and did not have any focus on data privacy at all. In this same report, forty percent of respondents cited legal obligations as their reason to address data privacy. This indicated a lack of strategic focus and preparations. As a result, these organization are at risk of non-compliance with the potential fines for Violators of GDPR. Fines are up to €20 million or 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.

Elements of GDPR

Data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.  – Personally Identifiable Information (PII) and other sensitive data must be protected. Data collected to be shared and included in various business uses must be securely managed throughout the entire information lifecycle.

All Data must be adequate, relevant, and limited to what is necessary in relation to the purposes they are processed. – Commonly referred to as “purposeful limitation”, only the data relevant to the purpose needed by the professional processing this data. Managing relevant information is allowed to be used.

Data must be accurate and where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate. Having regard to the purposes for which they are processed are erased or rectified without delay. – Business Professionals with responsibilities connected to qualified data, must manage Data Subject Access Requests and the Right to be Forgotten. This means there must be a way to ensure that all customer data is up-to-date and accurately maintained. Data is then disposed of at the appropriate times. This can have a significant impact when and where customer data is used as well as retention and disposition periods.

Storage Limitation

Data must be kept in a form which permits identification of data subjects for no longer than is necessary. For the purposes for which the personal data are processed. – Business Professionals must adhere to “storage limitation” requirements and maintain customer and supplier correspondence records. Records are held for no longer than is allowed by regulatory and legal statutes relevant to defined business transactional guidelines.

Data must be processed in a manner that ensures appropriate security of the personal data. Including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. Using appropriate technical or organizational measures. – Business Professionals must ensure that the “integrity and confidentiality” of customer and supplier correspondence. Correspondence are securely maintained with proof of delivery to the intended recipient.

Organizational Responsibility

As an Information Professional potentially working in one of a number of different departments you may well be held responsible for daily, bi-directional and multi-channel communications with both internal and external clients. As a result, you should be concerned. You may be focusing on improving customer experience, reducing customer churn, increasing both loyalty and spend per customer. The ever growing and increasingly complex regulations that govern our commercial lives.

In relation to the GDPR, you are responsible to protect all Personally Identifiable Information (PII) and sensitive information contained within and related to those business applications, communiques, and other business activities from possible exposure. You are also responsible to ensure that your communications methods comply with GDPR. For example, under the rules of GDPR if the person you wish to contact is part of a marketing campaign, you would need their permission – so an opt-in through an in-bound method might be one way to collect that and also to maintain proof that permission was given.

In the following sections we will explore the different elements of GDPR, and the impact they have on business organizations.

Bottom Line

GDPR requires that data protection be designed into the development of business processes for products and services under Article 25 – Privacy by Design and by Default. ECM and BPM technologies help Information Professionals and business leaders align and address compliance with the elements of GDPR ranging from capture of information at first touchpoint to disposition.

In addition to GDPR, the United States is seeing regulatory changes mimicking the GDPR. For example, seventeen States – including NV – now have regulatory requirements that in some cases, reflect GDPR almost identically. One example is California’s California Consumer Privacy Act (CCPA) passed in June 2018.

CCPA

In Nevada, SB 220 which also took effect in 2018, focuses on data privacy but unlike CCPA which grants consumer rights to access and/or portability and deletion, SB 220 really only grants consumers the right to opt out of having their data sold. Additionally, unlike the CCPA, Nevada’s SB 220 doesn’t apply to companies that collect personal information offline.

As you can see in these examples, each State can and will likely have similarities but also differences, making it challenging for Information Professionals to standardize practices across the enterprise. This also reflects the need for organizations to establish cross functional teams that include Legal Counsel to ensure regulations are understood, processes are improved and automated to support compliance, and the user community is trained in compliance practices and the tools used to adhere to these regulations.

Written By: Bob Larrivee