3 minute read 26 Mar 2019
analysis-on-a-tablet-screen

Three questions to help enable GDPR solutions

By

US Americas

Multidisciplinary professional services organization

3 minute read 26 Mar 2019

Show resources

GDPR compliance work could further increase without an efficient process for responding to customer requests for their data.

Data protection has entered a period of unprecedented change. With recent examples of high profile data breaches at well-known companies, the demand for increasing accountability on how companies use and safeguard their customer and employee private information has never been higher. Individuals demand a lot more control over how their data is used. The General Data Protection Regulation (GDPR) is one of the most significant and comprehensive data protection regulations enacted by the European Union (EU) to do just that.

The GDPR lays out more than 350 new requirements, and failure to comply could result in fines of up to 4% of global annual turnover or €20m Euros — whichever is higher.
Jatin Rajpal
Senior Manager, IT Advisory Services, Ernst & Young LLP

GDPR includes EU and non-EU organizations

The GDPR lays out more than 350 new requirements and failure to comply could result in fines up to 4% of global annual turnover or €20m Euros — whichever is higher. Contrary to the popular belief, GDPR is not only restricted to businesses based in the EU, but also includes any entity based outside of the EU that has EU subject data. That virtually covers all multi-national firms that do business in Europe, which encompasses a vast majority of the Fortune 500.

Companies had an enormous task ahead of themselves and raced towards the 25 May deadline to comply with various requirements and are currently at various stages of maturity to do so. Various organizations within a company such as legal, human resources (HR), IT, information security, data privacy, compliance and others need to come together to comply. At a high level, the GDPR mandates the following:

  • Know where your data is stored and how it is being processed
  • Conduct regular and timely impact assessments to identify risks to data protection
  • Enforce data privacy by design by performing regular audits, assessments and data privacy controls monitoring including third parties
  • Provide a list of key rights (such as the right to consent, rectification, erasure and others) to all employees, otherwise known as “data subjects”
  • Inform individuals and authorities of a significant data breach within 72 hours of detection

Example GDPR scenario

One of the most visible and impactful requirements is around data subjects’ rights. Consider the following scenario:

Joe, a customer, calls a company’s call center and asks what personal information the company has on him. The call center’s employee sends an email to a dozen different departments to have each look into the ERP, CRM, HR or other systems for information that the call center will deliver to Joe. Each person responds to the email and the call center employee consolidates that information and sends it to Joe. Joe decides he wants a portion of that information deleted, so he calls the call center back and the process repeats, this time with the direction to delete information. All of this is documented in various systems, spreadsheets and emails so there may not be a single audit trail of the activity.

While this approach may technically comply with GDPR, it is not efficient, reliable, easily auditable or scalable. Organizations recognize that their systems, processes and tools may be too siloed, manual and reactive. Few are thinking of solutions to enable GDPR requirements in a comprehensive, automated and proactive way.

Three questions to help address GDPR regulations

When considering what to look for in a more robust, long-term solution to address GDPR regulations, organizations that provide solutions should ask themselves three questions:

  1. What requirements does your solution approach cover?
  2. Is the solution on one or multiple platforms?
  3. Is it viable for the company’s environment?

While dedicated GDPR solutions may look good on the surface, they lack the depth and breadth of capabilities required to effectively manage privacy or GDPR end-to-end requirements. Considering the key GDPR requirements, a platform such as ServiceNow, well-known for its Enterprise Service Management capabilities and scalability, could be suited as a technology foundation for GDPR enablement.

Summary

Organizations recognize that their GDPR systems, processes and tools may be too siloed, manual and reactive. Yet few are thinking of solutions to enable GDPR requirements in a comprehensive, automated and proactive way.

About this article

By

US Americas

Multidisciplinary professional services organization