Global understanding: G.etting D.ata P.rotection R.ight
Signavio turns the GDPR in your favor
Set against a global tech backlash and deadline-date information hysteria, comparable to the Millennium Bug furor, the GDPR positioned data handling and privacy as a human right. In fact, not since the late 90s has a hard-drop date threatened such severe business penalties, with industry leaders running scared.
Indeed, if companies around the world spent an estimated $300 to $500 billion on Y2K, then figures showing that the average spend on GDPR compliance per global organization is over $1.5 million will come as no surprise. After all, tech & misinformation and regulation & clarity, have always been combustible partners, sometimes fanning uncertainty rather than extinguishing it.
BREXIT ALERT: As it stands, GDPR applies regardless of Brexit and CASS. Read our post: Brexit and the GDPR.
Getting to grips with GDPR 2019
Signavio GDPR Resource Center
As was discussed in the blog post ranked #1 with our international readers, <<Rewind after reading, the GDPR may have only been in effect for a year, but EU member states have been far from inactive. Regulators around the world have steadily grown their staff numbers and expertise, and a lack of preparation could cost companies dearly.
The regulators are circling
Signavio GDPR Resource Center: Global GDPR Influencer
Understanding this, Signavio was one of the world’s first companies to highlight the significance of the GDPR in 2019, and the threat posed by GDPR bounty hunters. These opportunistic thieves work by identifying areas an organization fails to comply with the GDPR, then attacking/extorting that organization—after providing them with a copy of their data to prove the breach.
Bam! The organization then has two choices: 1. pay the official fine once the hacker has reported the breach, or 2. pay the hacker’s chosen amount, which could be anything below the maximum levied by the EU: €20m or 4% of the organization’s annual global turnover.
Scary stuff! And it emphasizes that even if you have all the structures in place and are handling customer data in strict accordance with the law, you must also be continually testing your own processes and making sure you find any potential breaches before anyone else does.
GDPR 2019: You are only as strong as your processes
In fact, organizations must continuously be monitoring the customer data they have already collected, how it is stored, and when, why, and how it is shared. At any point in time, you should be able to understand and visualize where consumer data sits; the processes in which this data is utilized; and most importantly, the processes which support your obligation to handle and protect it.
Signavio GDPR Resource Center
Signavio GDPR Resource Center: Expert knowledge at your fingertips
To mark the first year of the GDPR on May 25, we have created the Signavio GDPR Resource Center that combines thought leadership and expert downloads, with interviews across leading global publications, including Entrepreneur and The Australian. You will also find our GDPR blog post campaign and can stay informed on the latest updates with our GDPR 2019 white paper, and technical guide.
After all, Getting Data Protection Right is what the GDPR is made of.
BREXIT ALERT: The EU Payments Services Directive (PSD2), aimed at the way merchants take payments, took effect on January 13, 2018, bringing new laws for improving consumer rights. Such as transparency and surcharging. As it stands, regardless of Brexit, some of its more disruptive UK-facing regulations are still working their way through the EU Parliament and will come into force in September 2019 at the earliest!
SWISS ALERT: Even though Switzerland is not a member of the EU or the EEA, if a Swiss company targets EU end customers, you have to comply with GDPR. However, this only triggers GDPR duties relevant to that particular activity. It is unlikely to affect your overall company, such as HR or the treatment of your Swiss customers (if not required by operational reasons, such as commonly used tools or systems).
*Visit the Signavio GDPR Resource Center for more information.
The Signavio interview with Tobias Przybylla
Signavio GDPR Resource Center: The Global GDPR 2019 Influencer
Having many years of experience in process management, optimization, and modeling, what do you think are some of the critical process challenges facing organizations a year into the GDPR?
Without doubt, process management solutions are becoming an all-in-one source of data and privacy truth. There have been 57,000 complaints lodged with national data protection watchdogs, and more than 27,000 organizations have reported data breaches under the 72-hour time limit.
So, how can companies improve their operations? Well, GDPR compliance is all about processes. Implementation is about documenting and developing processes, obtaining opt-in consent, and reporting data breaches. Plus, provisions such as a request by individuals to access information about their personal data processing, require processing of their own!
Active and robust process management initiatives are therefore a necessity to support GDPR implementation, by identifying existing processes and developing new ones for compliance. Under the ‘right to be forgotten’ requirement of the GDPR, finding and deleting personal data is a process problem, not a data problem. Companies need to know how information is processed throughout the entire enterprise to detect and remove all instances of the name/data.
The GDPR has also added an extra layer of complexity for companies that use subcontractors because previous laws did not cover the ownership of privacy data between a principal contractor and a subcontractor. With the GDPR, the main contractor is now responsible, so they need to be able to monitor all subcontractor activity.
Interesting. So, it sounds like the GDPR is fast becoming the default level of compliance for global organizations dealing with consumer data?
Exactly. The global impact of GDPR is now becoming more evident. Since its implementation, at least ten countries outside the EU, including Australia and Argentina, have moved to implement similar rules. For advanced economies, updating their domestic legislation will be relatively straightforward. In some cases, countries are copying the GDPR almost word for word.
When it comes to dealing with consumer data, companies must balance the default need to access the EU’s market of 500 million customers with the pressure to support and encourage domestic innovation. Developing economies such as India have managed to devise comprehensive regulatory frameworks to meet the EU’s rules while also being sensitive to their own economic and cultural trajectory.
However, GDPR compliance for global organizations dealing with customer data is not about penalizing organizations; it’s about protecting the consumer. It is about having the technology and expertise to make the critical principles of trust and transparency the bedrock on which you build your organization—wherever you are in the world.
But wouldn’t it just be easier for organizations to pull out of the European market and avoid the costs of complying with GDPR altogether?
We have certainly seen examples of companies ‘pulling the plug’ on the EU—sometimes even overnight—including US companies Drawbridge, Verve, and Klout. Even Uber Entertainment, which makes online games, shut down its Super Monday Night Combat game because of the difficulty in deleting data from user accounts.
… This is one of the reasons why we see a significant upturn in the number of US and geographically coded consent pop-ups that appear across websites on EU IP addresses.
But as I mentioned, Europe is a market of 500 million customers, and as companies bed down better in the GDPR; there is scope to transform operations and continue the extension of data and privacy rights already embedded within many business frameworks.
Signavio sees significant GDPR interest from across Australia in particular. It seems Australian laws protect consumer's data rights, but do you think they go far enough and do you envision any significant changes to Australian laws due to the GDPR?
The increased focus on digital privacy is part of a global trend, and it is great to see Australian businesses, and the government, recognize how important it is to offer sufficient data protection to remain globally competitive.
The interesting thing is that this is taking place in a context where there seems to be a pretty significant difference in the aims of the Australian Privacy Act 1988 and the GDPR. The Privacy Act is essentially a cybersecurity policy, helping businesses to understand their responsibilities in terms of governance, as well as providing the information they need to avoid penalties for a data breach.
However, the GDPR is very consumer-focused and rights-based with the emphasis on a pro-consumer regulatory approach to what companies can do with data, as well as obtaining consumer consent, and so on.
Importantly, though, there is a significant overlap between current Australian privacy laws and the GDPR too, meaning that Australian organizations are coming around to the view that customer data doesn’t belong to them, it belongs to the customer, and the business is just processing it for them.
With that, we have just launched the Signavio GDPR Resource Center; do you believe that consumer awareness regarding data collection and trading is increasing?
Consumer awareness is definitely increasing. It is fascinating that the first infringement complaints arrived on the very day that the GDPR came into force, when claims were made against Facebook, Instagram, WhatsApp, and Google, for “forced consent,” i.e., forcing users to agree to new privacy policies.
You already mentioned that the GDPR positioned data handling and privacy as a human right, and now there is no turning away from our obligations under it.
Great point. So, let’s break down the final question! 1. Can you think of any lesser-known GDPR imperatives that readers may not know about, and how Signavio can help? 2. In layman’s terms, how does Signavio work with companies to ensure they are GDPR compliant?
1. There are several fundamental topics in that first question, actually! But on a daily operational level, Signavio can help structure Data Protection Impact Assessments (DPIA). This is a critical topic today because the DPIA is a process to help you identify and minimize any project data protection risks. You must conduct a DPIA for all processing that is likely to result in a high risk to individuals.
One other lesser-known requirement is that companies must also record processing activities known as GDPR Records of Data Processing Activities. These records include significant information about data processing, data categories, the group of data subjects, the purpose of the processing and the data recipient. These records may even need to be available publicly.
With Signavio, you can ensure that the data processing activities and the data flows are mapped out in your processes, meaning the legally required documents are just one click away
2. To answer the second part of your question, Signavio can help in lots of other ways too. For any company concerned about their GDPR compliance, no matter the size of the organization, we have a four-stage plan to assist.First, Signavio would conduct a company-wide inventory of all processes, and find out which current-state processes are not yet in line with GDPR requirements. Based on the results of this investigation, we’d introduce systematic measures to a. make the processes GDPR-compliant, and b. review and maintain that compliance over time.
The plan can be broken down as follows:
Classify personal data
Implement a system to capture GDPR-relevant data, using a glossary to define terms
Detect personal data
Analyze business processes
Capture personal data and GDPR-relevant process information
Monitor personal data
Observe process variants and changes over time
*Specific measures under each step could include: Creating a repository of all customer data collected by the organization, with the option to filter the data based on specific provisions of the GDPR; approval workflows that test whether a specific business process is GDPR-compliant; ensuring any piece of data collected about a consumer is defined in relation to how the GDPR affects that information; and notifications whenever a GDPR-connected business process is changed, with a reminder to ensure the process remains compliant after the changes.
*Check out the Signavio GDPR Resource Center for more expert insights.
G.etting D.ata P.rotection R.ight
Signavio GDPR Resource Center: The Global GDPR 2019 Influencer
If you’re keen to see for yourself how Signavio can help your organization thrive under the GDPR, sign up for a free 30-day trial today. Or check out the Signavio GDPR Resource Center!