GDPR includes EU and non-EU organizations
The GDPR lays out more than 350 new requirements and failure to comply could result in fines up to 4% of global annual turnover or €20m Euros — whichever is higher. Contrary to the popular belief, GDPR is not only restricted to businesses based in the EU, but also includes any entity based outside of the EU that has EU subject data. That virtually covers all multi-national firms that do business in Europe, which encompasses a vast majority of the Fortune 500.
Companies had an enormous task ahead of themselves and raced towards the 25 May deadline to comply with various requirements and are currently at various stages of maturity to do so. Various organizations within a company such as legal, human resources (HR), IT, information security, data privacy, compliance and others need to come together to comply. At a high level, the GDPR mandates the following:
- Know where your data is stored and how it is being processed
- Conduct regular and timely impact assessments to identify risks to data protection
- Enforce data privacy by design by performing regular audits, assessments and data privacy controls monitoring including third parties
- Provide a list of key rights (such as the right to consent, rectification, erasure and others) to all employees, otherwise known as “data subjects”
- Inform individuals and authorities of a significant data breach within 72 hours of detection
Example GDPR scenario
One of the most visible and impactful requirements is around data subjects’ rights. Consider the following scenario:
Joe, a customer, calls a company’s call center and asks what personal information the company has on him. The call center’s employee sends an email to a dozen different departments to have each look into the ERP, CRM, HR or other systems for information that the call center will deliver to Joe. Each person responds to the email and the call center employee consolidates that information and sends it to Joe. Joe decides he wants a portion of that information deleted, so he calls the call center back and the process repeats, this time with the direction to delete information. All of this is documented in various systems, spreadsheets and emails so there may not be a single audit trail of the activity.
While this approach may technically comply with GDPR, it is not efficient, reliable, easily auditable or scalable. Organizations recognize that their systems, processes and tools may be too siloed, manual and reactive. Few are thinking of solutions to enable GDPR requirements in a comprehensive, automated and proactive way.
Three questions to help address GDPR regulations
When considering what to look for in a more robust, long-term solution to address GDPR regulations, organizations that provide solutions should ask themselves three questions:
- What requirements does your solution approach cover?
- Is the solution on one or multiple platforms?
- Is it viable for the company’s environment?
While dedicated GDPR solutions may look good on the surface, they lack the depth and breadth of capabilities required to effectively manage privacy or GDPR end-to-end requirements. Considering the key GDPR requirements, a platform such as ServiceNow, well-known for its Enterprise Service Management capabilities and scalability, could be suited as a technology foundation for GDPR enablement.