Top 10 Mistakes Companies Make in GDPR Preparation

Top 10 Mistakes Companies Make in GDPR Preparation
featured image

This article originally appeared in IT Business Edge on March 14, 2018

With the EU’s General Data Protection Regulation (GDPR) only less than three months away from enforcement, organizations are (hopefully) pulling together their GDPR strategy. However, the nuances of GDPR are something most of us are still trying to understand – and we probably won’t grasp until the regulation is in effect and tested. In the rush to meet the compliance standards, errors will likely be made. I talked to security experts, and here are some of the more common GDPR prep mistakes.

Thinking GDPR Doesn’t Apply to You

This could be the single biggest mistake most American countries are making about GDPR. They believe that because they are headquartered and primarily based in the U.S., GDPR isn’t something to worry about. It’s a European thing. While that attitude has begun to shift, it’s important to remember that any company based anywhere in the world is subject to GDPR if they employ 250 or more employees and control or process personal data related to EU residents.

GDPR Is a Guideline, Not an Obstacle

If you are struggling with GDPR, it might be because you are taking the wrong approach, according to Peter Martini, president and co-founder of iboss. “The biggest mistake enterprises can make while preparing for GDPR is to view it as an obstacle,” he said. “While there are many challenging aspects, at its core GDPR gives businesses guidelines that will actually make their data more valuable by removing redundancies and eliminating data siloes. If IT teams view this as an obstacle, they will do the bare minimum to achieve compliance while missing out on an opportunity to align GDPR compliance with overall business goals.”

Thinking About Sensitive Data in Former Terms

GDPR has us rethinking a lot of terms and ideas that we’ve been used to. Take sensitive data.  Ruvi Kitov, CEO and co-founder of Tufin, pointed out that definitions of sensitive data need to be rethought and brought to a much broader standard. “Under the GDPR, more types of data – including contact information, genetic data, biometric data and IP addresses – will be classified as sensitive,” Kitov said.

Believing Past Practices Meet GDPR

You may have great data governance practices already in place. But in the GDPR world, that may only be a foundation for today’s new rules. “There are several new aspects introduced in this legislation,” said Mitesh Shah, senior technologist with MapR Technologies. For example, “right to be forgotten” mandates companies delete PII data if requested, and “right to know when my data is hacked” mandates companies let supervisory authorities know that EU-resident data was hacked.

Depending on Your Service Provider to Handle GDPR

Your MSP or cloud provider will certainly be invested in GDPR and helping you stay compliant, but overall, it is your responsibility to protect the privacy of your company’s cloud data. “Organizations still bear GDPR responsibility in their role as data controllers,” said Shah. “These controller responsibilities can be made easier by features provided by the service provider, but the orchestration and movement of data involved between services will inherently make GDPR compliance more difficult to achieve.”

Overlooking the Creation of Record of Processing Activities

Article 30 of GDPR is Record of Processing Activities, and forgetting about to examining your applications and processes would be a real mistake. “A major stepping stone of GDPR success is to take inventory and reconcile all applications on the organization’s software estate – especially software titles that are a known GDPR risk for the personal data they hold,” said Dan Kirtley, enterprise software expert and product marketing manager at Snow Software.

Ignoring Segments of Your Data Collection

“When it comes to GDPR compliance, the primary focus for most enterprises is on determining customer, partner, and employee-held data elements by the organization. Unfortunately, most have overlooked the significant amount of data collection activities occurring via the organization’s websites and mobile apps,” explained Chris Olson, CEO of The Media Trust. “This is a critical oversight since there are anywhere between tens to hundreds of unknown vendors not only executing code but also collecting personally identifiable information on website visitors. In fact, enterprises tend to find two to three times more vendor-contributed code on their websites than expected.”

Not Understanding What You Can and Cannot Keep

There is still confusion around what companies are (and are not) allowed to do with existing customer PII, explained Sven Dummer, director of product marketing at Janrain. “On one hand, customer data that is already in a company’s system isn’t ‘grandfathered,’ so to speak — that is, companies cannot necessarily use already collected customer PII just as they might have prior to May 25, 2018. They can, however, use existing personal data if they can demonstrate that it has already been collected in a manner that complies with GDPR’s standards. Otherwise, brands must re-establish explicit consent from the user if, say for example, they collected permission to use email addresses or phone numbers via pre-selected checkboxes rather than obtaining consent to use that information for a specific and relevant purpose.”

Not Hiring a Data Protection Officer

Almost everyone I’ve spoken with over the past year has recommended the importance of making your organization’s GDPR strategy planning a team effort; this is not a one-person job. However, you still need someone to take ownership of GDPR. Steve Padgett, Global CIO with Actian, said one of the biggest mistakes he’s seeing is not designating or hiring a Data Protection Officer (DPO). “The primary role of the DPO is the strategy and implementation of the security requirements of various laws and regulations, the primary one here is GDPR, but it could also apply to other PII areas, such as HIPAA, PCI or financial information,” said Padgett. “The DPO should also take on leadership of incident response management, particularly with the 72-hour breach notification requirement in GDPR.”

Not Asking for Help

GDPR is a new learning curve for everyone. Some organizations are ahead of the game. Some are rushing to the deadline. But as Chris Cunningham, president of Unacast, stated, “We have all been provided with the same information about GDPR.” Cunningham added if you are working with a data specialist who has spent considerable time learning the ins and outs of GDPR, “don’t be afraid to ask tough questions to make sure the resources they rely on are well-prepared for what’s to come. In other words, trust the students who put in the time to ace the exam, not the ones crossing their fingers hoping it’ll work out.”