A month away, and the General Data Protection Regulation (GDPR) looms large.
As Shakespeare wrote centuries ago (without data mapping in mind), the readiness is all.
IdentityMind CTO Kieran Sherlock told PYMNTS the readiness for the sea change in data privacy varies. Many of the larger EU-based firms have been preparing for GDPR for years and have processes in place that anticipate the formal debut of GDPR and its compliance mandates.
Yet, he added, discussions with IdentityMind’s own client base lean toward the smaller FinTech-based companies, where there has been less awareness and less reaching out for assistance for gearing up for GDPR than he might have expected.
However, Sherlock stressed the deadline may not necessarily be a hard line of preparedness.
“The regulators are thinking of this as being a process, so if a company has not done anything by the time they get to May 25, then they have the potential for significant issues,” he said.
“In my view, there will be recognition from the regulators that compliance with GDPR will be an ongoing process,” he continued, “where over the coming year, and over the coming five years, we will figure out how to interpret the regulation and what it could mean on the ground.”
Regardless of the process itself, he noted, “you must be looking at GDPR. You must be moving towards transparency.” That transparency requires firms to be explicit in what they’re doing with consumer data, he told PYMNTS.
In terms of a roadmap, Sherlock said companies must “take those [customer-facing] terms and conditions that the lawyers wrote three and five and 10 years ago and go back through the legalese and make it understandable.” A layperson needs to be able to understand why a company is going to collect data, what it is going to be used for and how long that data will be retained, he stated.
As part of GDPR (article 25), privacy by design is a foundation that points toward “data protection by design and default” — underpinning corporate decisions writ large and small.
Sherlock stated that “privacy by design” is analogous to the shifts seen more than a decade ago in security, when every time a development team sought to research and implement a new feature, the discussion had to (and still must) revolve around security of the platform, the network and the product on offer.
“So, in every meeting where product and engineering are coming together to define a new feature, everyone needs to have in their mind how … this [impacts] the privacy and the risk of privacy violation of the end consumer,” he said, from the C-suite down.
Asked by PYMNTS where conflict may arise amid matters of collecting and storing data, in some verticals, such as financial services, risk mitigation in overseeing transactions, along with KYC (Know Your Customer) and AML (Anti-Money Laundering) rules, may mean firms must store consumer data. Thus, the compliance side, at least in financial services, may override the privacy side of the equation.
Issues arise, too, over cross-border presence, where EU-domiciled firms touch foreign shores via customer bases or transactions — or where firms outside the EU have reach into the EU.
Sherlock offered an example where IdentityMind, under GDPR’s definitions, acts as a data processor. He added that many of IdentityMind’s clients are based in the EU.
Thus, IdentityMind must be GDPR compliant — with tools in place that allow clients to answer and have access to questions about data, from collection to deletion requests from end users.
When it comes to U.S. firms, he explained, “my interpretation of the [GDPR] regulation is that if you are a U.S. company and occasionally someone from the EU comes to your website, then you don’t necessarily have to be GDPR compliant.” But a U.S. company that has any type of EU pricing for its products or inroads into the region, “if you are attending trade shows in the EU, if you have a sales rep in the EU or have a pricelist in euros in order to pay in [euros],” those firms must be GDPR compliant.
Looking beyond the initial implementation of GDPR, said Sherlock, there is likely to be uniformity on opt-in and opt-out choices for consumers. Amid global commerce, it seems unlikely that both standards would coexist — one tied to the U.S. and the other to the EU.
Sherlock also offered a data-mapping process: “If you are beginning today, you’re late to the party but … welcome! I would begin with finding an owner for the data-mapping project (someone already handling other compliance matters … who has the authority to make things happen), [reading] the regulation to get a sense of the scope of the regulation and [starting] today.”
He recommended that firms find their “data lakes,” where any EU-centric data (or even employees data) may be located. Sherlock emphasized that companies must “not forget to include SaaS partners that you may export data to for analytics.”
“Document the personal data that you are maintaining within these databases and then work backwards to determine where that data is coming from, has the consumer consented, who are the authorized users with access to the data and where is it used,” he recommended. For example, “who are the third parties storing (e.g. cloud provider) or reporting on the data?”
“A final thought might be that regulation is often thought of as being a burden or [a] cost on the business,” he told PYMNTS. “I think of GDPR as being different; it is an opportunity to ‘do the right thing’ for the consumer, at the same time allowing … [companies] to differentiate themselves from their competition in their respect for the ‘rights and freedoms’ of the consumer.”
You can read the full report, “IdentityMind, GDPR, And You” here.