Warning: Attempt to read property "post_title" on null in /www/businessmirror_145/public/wp-content/plugins/better-image-credits/better-image-credits.php on line 227
Compliance officers are hearing more and more chatter these days about the European Union’s (EU) impending new General Data Protection Regulation (GDPR), coming into effect in May 2018.
Rightly so. The GDPR is likely to be a transformative experience for many businesses dealing with personal data.
For all practical purposes, the GDPR’s reach is global, including the Philippines, including the companies handling European data. The potential penalties for noncompliance are enormous. The procedural challenges to achieve compliance are huge, same as in the Philippines, where the implementation of the data-privacy law has commenced already.
And the appetite for tough enforcement of the GDPR is high among regulators and the public alike, because of one simple fact: companies keep screwing up data privacy.
Why is GDPR compliance so daunting? Because it’s about more than data privacy alone.
“Compliance” with the GDPR is really about empowering your customers to exercise a set of rights the EU grants to its citizens.
Those rights allow EU citizens to control information about them on an ongoing basis. For example, not only must a company obtain consent before it collects personal data about a customer; it must allow that customer to revoke consent whenever the customer likes.
Customers also have the right to see information collected about them; that implies some process to grant access. They have the right to specify where data collected about them is stored; that requires visibility into your data storage practices.
And, yes, you still need to keep all personal data secure; and meet daunting breach disclosure requirements when (not if) customers’ personal data is stolen somehow. This is different in the Philippines? No. That’s the reason every organization here also needs data-protection officers. Do you have one already? Have you informed the National Privacy Commission?
If upholding those rights is the goal, then the first step toward compliance is analyzing your business processes to see how those processes do—or don’t—achieve those rights.
Ideally, your organization has already begun that assessment. It’s also crucial to ask: Are we involving the right people within our enterprise, so that assessment is useful? And are we asking the right questions?
For example, your chief information security officer (Ciso) should certainly be involved in assessing data-storage risks. But if your company has easy processes to let employees store data online (collecting the birthdates of clients’ children, for example, and tucking them away in a customer relationship management application)—then you might need to involve the head of sales. That person knows how the business process truly happens; you and the Ciso know where the compliance risks within that process are. The challenge for compliance officers is to repeat that cycle again and again, working your way through all processes that might somehow intersect with consumer data collected in your extended enterprise.
The data-privacy law in the EU and the one in the Philippines force you to reconsider how you handle employee and customer data, to ensure security and consumer control are upheld.
It will be a sweeping exercise, intended to make companies consider “privacy by design”—that is, how to govern privacy risks in every step of every process, and impose appropriate controls given the risks.
And they have little more than six months left to do it in the EU; you have basically no time left in the Philippines. If you need assistance regarding the process transformation, we have experts in data-privacy protection and cybersecurity protection on call; contact me under Schumacher@eitsc.com.
Flashback: On July 11 I wrote about ‘Open Government Partnership – Part of Fighting Corruption’ and made extensive reference to reports prepared by the Independent Reporting Mechanism (IRM) of the local Open Government Partnership implementation group. The reason why I used the IRM source is that the Integrity Initiative is part of the Civil Society Groups supporting the OGP Program and the reporting of the IRM. In fact, the Integrity Initiative has added progress information to the latest IRM report.
Image credits: Kirill Makarov | Dreamstime