By Balaji Padmanaban, Senior Director, IT, VMware
To learn more about how VMware IT implemented GDPR, read part 2 of this blog, “Complying with GDPR: Taking a Holistic Approach to Data Privacy.”
In 2016, the European Commission (EU) approved a new General Data Protection Regulation (GDPR). In short, GDPR states that if a website collects or stores data related to an EU resident, the company operating the site must comply with the following requirements:
- Tell the user who it is, why the data is being collected, and how long it will be stored
- Obtain the user’s consent before collecting any data
- Provide a mechanism through which users can access or delete their data
- Let users know if data breaches occur.
Effective May 25, 2018, this landmark legislation affects any company processing or holding the personal data of people that reside in the EU, including VMware. While business groups and stakeholders direct how this regulation is implemented, it is ultimately about the collection and storage of data across systems. As a result, IT plays a central role in the implementation of compliance strategies across any organization.
VMware’s GDPR Strategy
Although the GDPR only affects EU data, VMware recognized that it would be practically impossible to isolate the data for a particular application and user group within an EU data center due to our global IT environment. A global, holistic solution made more sense. The company made the decision to design a global data privacy initiative with a systematic framework that could be applied and adjusted across other jurisdictions as needed.
IT joined a cross-functional team of Sales, Marketing, Support, Legal, HR, and Privacy leaders. As part of its charter, the team adopted a comprehensive information governance strategy for data:
- Requiring the implementation of global governance and policies
- Providing a consistent understanding and trust of data quality
- Ensuring consistent use of data across the organization
The strategy also outlined accountability, performance metrics and reporting, centralized information management, and corporate due diligence for information assets.
IT’s Role in the GDPR Initiative
The cross-functional team began by performing a rapid governance assessment to evaluate the maturity of the privacy program, then identified and assessed the controls required for compliance. What quickly became apparent was that user data had to be looked at holistically and involved many different teams within VMware.
IT played a critical role in translating the new policies and processes into our technology platforms. IT examined what personal data the company had, where it was stored, how it was shared, and then attached data retention and security policies to the data. A person master was created to help the company better manage the data it holds about our customers, prospects, and vendors.
Biggest Challenges: Consent
One of the biggest issues IT faced in GDPR compliance was obtaining and storing consent data, especially in the sales, marketing, customer support, education, and event systems. We deployed banners across all forms and websites to ensure consent was required and data collection policies were consistent. Within the Consent track, IT’s role was to:
- Make sure data protection was inherent in any data that we design or inherit, regardless of whether it was from a product or website.
- Document the actions (i.e. discussions and processes) to show that VMware was progressing on its compliance.
- Develop and implement a Consent Management Solution that documents and tracks unambiguous consent through voluntary opt-in.
- Ensure that all systems could access the most recent consent information before every transaction.
- Create the ability to trace each customer’s record into the various systems where his/her data is stored and remove/delete the data as needed.
System remediation was another key focus for IT. More than 75 applications across the company were updated to bring them into line with enhanced GDPR requirements. In addition, IT had to train all the customer and employee-facing teams on what data could be collected, stored, shared, and deleted.
A total of six tracks were identified. In addition to consent, system remediation, and business remediation, the team addressed privacy-enhancing tools (PET), data loss prevention (DLP), and data subject access rights (DSAR). You can read more details about VMware IT’s role in all six tracks in this blog.
Because this was a new initiative without any precedents, IT learned a lot during this journey. Here are three things that were important to our success:
- Compiled an updated inventory of the current application landscape, including IT-owned and non-IT owned systems (particularly SaaS) so we knew the scope of the project before we started.
- Tried to be realistic about what we could accomplish and focused on high-priority, personally identifiable information (PII)-related system remediation. We recognized that we had to be smart in deploying resources to meet the schedule.
- Published Quick Reference Guides and online training to raise awareness of the importance of GDPR to VMware as a company.
By taking a holistic perspective, performing a fully inclusive system and data review, and updating core policies and processes as part of a cross-functional team, VMware has built a sustainable program to demonstrate compliance with the GDPR. IT’s role was vital in ensuring data is treated consistently across all technology platforms and according to GDPR requirements. By adopting a flexible framework, VMware can easily adapt to changing and emerging regulations in other jurisdictions.
To read more about our GDPR journey, I invite you to read the second part of this blog, “Complying with GDPR: Taking a Holistic Approach to Data Privacy,” in which we detail our global data privacy journey.
VMware on VMware blogs are written by IT subject matter experts sharing stories about IT’s transformation journey using VMware products and services in a global production environment. Visit our portal to learn more or follow us on Twitter: @VMWonVMW.