GDPR will impact company executives in many different ways due to restrictions placed on the collection, processing and accessibility of data. Companies may not only have to introduce mechanisms to ensure their operations comply with GDPR, but may also have to change the way in which they conduct their operations.
This article looks at the impact of GDPR on company executives from several different angles. It discusses some of the management challenges companies will encounter, and suggests ways in which companies may be able to overcome the challenges while complying with GDPR. First, let´s deal with the tricky issue of who is covered by GDPR.
Who is Covered by the General Data Protection Regulation (GDPR)?
Many articles discussing the General Data Protection Regulation and how GDPR will impact company executives refer to “the personal data of EU citizens.” This is not necessarily the case. Nowhere in the text of GDPR are EU citizens or EU residents mentioned. Instead, individuals covered by GDPR are referred to as “data subjects” who are present within the EU at the time data is collected.
GDPR applies to businesses that collect data from a data subject, process data collected from a data subject, or store data collected from a data subject – regardless of whether the business is located inside or outside the EU. It also applies to third-party service providers that may have access to the data; for example cloud service providers. GDPR will continue to apply in the UK once it leaves the EU in 2019.
For most companies, isolating the data of EU data subjects from non-EU data subjects would create a logistical problem too complicated to imagine – particularly as the data of non-EU data subjects may be subject to a different set of privacy and security regulations. Therefore, companies with a physical or online presence in the EU are applying GDPR to the entirety of their operations.
The Beneficial Impact of GDPR on Company Executives
GDPR is the most comprehensive data privacy standard in the world. Although, complying with the regulation does not necessarily imply compliance with other data privacy regulations (HIPAA, SOX, etc.), many companies are using the introduction of GDPR as a reason to conduct data audits. These not only reveal where the companies are in terms of GDPR compliance, but also helps them understand data flows.
According to a digital governance advisor, Kristina Podnar, few companies have an absolute awareness of what data they collect, process, store and share, and how it is used. She claims that by understanding what business processes are dependent upon data subjects´ data – and better controlling it – companies can gain insights that will improve their digital strategies and support the realization of business goals.
In addition to this beneficial impact of GDPR on company executives, Podnar also notes GDPR is effectively forcing companies to adopt governance best practices that should already be in place. She adds “naming an individual accountable for understanding business-wide data collection and management practices [the GDPR Data Protection Officer] should be the norm and not a struggle”.
The Challenging Ways in Which GDPR will Impact Company Executives
Unfortunately, there are many challenging ways in which GDPR will impact company executives. The GDPR regulations relating to how data is collected, processed, stored, and shared will restrict access to data for many company departments – for example finance, marketing, sales and HR. This will undoubtedly impact operations and the management of operations. For example:
- There will be less data collected or acquired from third-party vendors because data subjects will be better informed about how and why their data is being processed and with whom it is shared (so naturally some data subjects will withhold consent).
- For finance departments, access to databases will be restricted in order to comply with the security protocols of GDPR. In some cases, historic databases may be deleted or securely archived to prevent the disclosure of personal data and risk GDPR fines.
- Where data is accessible, departments will only be able to use it for the purposes explicitly stated when the individual gave their consent. Therefore, a sales department may not be able to share a customer’s data with the marketing department in order to retarget the customer.
HR departments will likely witness a substantial increase in their workloads. Due to the perceived “imbalance of power” between employers and employees, consent for the retention and processing of sensitive personal data is not considered by GDPR to have been “freely given.” Employment contracts may have to be re-assessed and consent re-obtained. However, that is just the beginning.
Employees – along with every other individual for whom personal data have been collected in the past – have “Individual Rights” under GDPR. These rights include the right to know what personal data is held about them, the right to rectify any personal data that is inaccurate or incomplete, and the right to erase any or all personal data under certain circumstances (the “right to be forgotten”).
It is not known what volume of work the “Individual Rights” clauses of GDPR will create for HR departments or GDPR Data Protection Officers – who should be the company’s point of contact for GDPR requests – but it is likely to be the most challenging way in which GDPR will impact company executives once the initial compliance issues have been attended to.
The Issue with Overcoming GDPR Requests
The issue with overcoming GDPR requests is that personal data is fluid and often stored on independent databases. In many circumstances the individual might have changed:
-
Their name, if they got married.
-
Their address or phone number, if they’ve moved.
-
Their payment information, if they changed banks.
Not only may there be many different data-sets relating to the same individual, the data-sets are likely to be distributed between sales databases, finance databases, and customer service databases. In the event the individual is an employee, their personal data may be stored on HR databases, employee self-service portals, and in email archives.
Few companies have these databases and archives connected in order to generate a single GDPR access report, rectify inaccurate or incomplete data, or delete data when individuals exercise their rights to be forgotten. The time it might take to collect a full set of data may well exceed the forty days allowed to respond to GDPR requests, especially in a company with limited IT resources.
Resolving the GDPR Request Issue
To avoid fines for late responses, companies can implement CloudHealth´s cloud management platform. Although primarily used to optimize cloud costs and the performance of assets deployed in the cloud.
It does not matter whether the data is stored in a public or private cloud, a hybrid environment or a physical IT infrastructure, CloudHealth makes it easy to securely access data using the programming language of your choice. Resolving the GDPR request issue is not the only reason for considering CloudHealth to mitigate the impact of GDPR on company executives.
With CloudHealth, your company can enhance its security in order to avoid data breaches from compromised logins and malware. Our cloud management platform gives you the opportunity to proactively monitor your infrastructure with security policies that, for example, could prevent a hacker logging in remotely from an unknown IP address or could terminate assets with unauthorized open ports.
By having visibility of your data and governance of your IT infrastructure you can accelerate your compliance with GDPR and remain compliant thereafter through policy-driven automation.
Sources:
