With a key date rapidly approaching, Axis Business Solutions is promoting awareness among their client base. On May 25, 2018 significant changes are coming to how businesses manage information by providing rules for protecting citizen data, as discussed in our recent webinar (see here).
GDPR – or General Data Protection Regulation – is a regulation created in the EU which will affect businesses worldwide. It establishes rules around consent, notification (in cases of breach, etc.), compliance and anonymity. For companies like those in financial services there will be – and mostly has already been – a huge investment in compliance. But the effects carry over not only to the United States but to small and mid-sized businesses as well.
“The GDPR is one of the most significant changes to modern privacy standards,” said Jason Sgro, security and compliance expert at The ATOM Group and strategic Axis partner. “It materially expands the actionable rights a resident of the EU has to consent and govern the use of their data, even when it comes to controllers and processors outside the European Member States. It also expands the categories of identifiers beyond what we’ve seen with other rules. This has a significant impact on industry standard tools for marketing automation, document sharing and CRMs to name a few.”
Historically companies have gathered necessary information but typically also take that opportunity to collect data that goes beyond the specific intent of the collection. Companies need to take a look at exactly what date is required and pare down to what is essential to achieve the intended result. On a larger scale, companies must take a look at their Big Data approach and the tremendous amount of information they gather associated with individuals. Sgro pointed out that if this practice results in profiling – particularly when a discriminatory action results – or leaves data vulnerable to breach then companies must change to become compliant.
“The right to be forgotten is a significant concern for modern companies that don’t have strict data tracking mechanisms. If identifiable data is downloaded from a marketing system and passed through file sharing, email, restoration of backups or shared into other business systems, then all of those copies must be removed as part of the right to be forgotten,” said Jason.
And where compliance could be measured, advised upon and accounted for by outside mechanisms in the past – that is not the case with GDPR.
“Traditional regulations often allow the ability to pass the burden of the regulation onto sub-processors using – as in the case with HIPAA – a business associate agreement, “ said Sgro. “While these types of agreements will be used in relation to the GDPR, under the GDPR a controller bears responsibility for ensuring the data they collect is processed appropriately even by a sub-processor and they cannot fully indemnify themselves from liability by universally passing that burden to a sub-processor.”
If you have not had the opportunity to discuss what these changes mean for your business, the timing for a review is now. Ensuring you have a policy in place to manage these changes and a way to monitor consent will be an ongoing concern for companies of all sizes. Axis has helped many clients prepare already, and has the expertise to get your company ready. As Sgro noted, the need to carefully plan for and manage consent is a positive development that will bring improved protections and process to this space.
“The requirement to gain active consent has signaled a major change in consent management. This is a welcomed change for many because the GDPR requires that we understand why a company is gathering each identifier and for what purpose. This begins a process aimed at changing the behavior of many companies who make a grab for as much data as possible even though they do not have an immediate business reason to collect the data.”
For the last twenty years, Jason Sgro has been a servant of leadership, an expert generalist at the intersection of humanity and technology. Today, he assists the teams at ATOM in driving the company’s strategic initiatives, management consulting and security practices. He brings 20 years experience as a practitioner, technical strategist, investor, and advisor to the Axis community and beyond.