GDPR compliance starts with self discovery. But don’t think that’s a touchy-feely process — it’s a big job, one of several tasks that await U.S. firms doing business in Europe.
“The first step is understanding what data you’ve got,” says Rob Perry, VP of product marketing at ASG Technologies. “In large companies, there’s so much data across the organization — they can tell you some of it, but not comprehensively.”
Companies also have to know how personally identifiable data is being used, and how it is flowing through the organization. “If you collect data, you have certain responsibilities,” Perry explains. “The person owns the data, and you have to get their permission to use it.”
That entails diving into the river of data and “going through elements that match certain formats,” Perry says. “You would look for Social Security numbers, names and other identifiers. You need to catalog and track what you actually have,” including email addresses.
The next step is to do a privacy impact assessment to determine “when it seems data could be put at risk, in large companies,” Perry says.
In general, a firm must “have reports in place to show what personal data you have, how it’s stored, where it’s stored and where you have consent. Opt-out is not an option under the GDPR. It has to be written in accessible language, and it has to be pretty specific.”
Another step is reporting on data breaches. “You have to notify the supervisory authorities and the affected individuals within 72 hours of a breach, not six months or two years, as the standard seems to be in the U.S.”
According to Perry, the company has to ask “what data did we lose, how did we use it and who do we need to notify?
ASG offers a suite of products that can help an organization achieve GDPR compliance. These include Data Intelligence, for use in discovering the data being held, and the Intelligent Data Catalog for matching different formats. The firm’s Mobius arm helps firm manage and deliver information.
In the end, one wonders: Should a U.S. company with European customers apply the same standards in the U.S. as it does in Europe?
In general, it pays to observe the same rules everywhere. “There are complexities in applying separate rules,” Perry notes. For starters, firms would have to segment and add another field.
But it “depends on the scale of the company,” Perry adds. “Very large businesses may decide that their European interactions are large enough and segmented enough” that they can segment how they apply the rules.
ASG is a privately owned company. It has roughly 1,000 employees, and plans to expand the workforce by 16% this year. The company has had nine consecutive quarters of year-over-year license revenue growth. Last year, it received a strategic investment from Elliott Management.
In conclusion, it’s not clear how harshly the GDPR will be enforced at the start. But one thing is certain.
“This is the place you don’t want to be first,” Perry says. “You don’t want to be the first GDPR violation.”