aftershocks of gdpr

Aftershocks of GDPR: Making Sense of the Business-Wide Effects of New Data Privacy Laws

Leading up to the May 25 General Data Protection Regulation (GDPR) compliance deadline, many of us saw these subject lines flood our inbox: “Please confirm your subscription,” “Last chance to stay on our list,” and “Do you still want to receive our emails?” Even organizations not directly impacted by GDPR compliance had to keep their heads above water.

Practically every marketer I know focused on ensuring they had specific opt-in permissions from prospects who either live in the European Union (EU) or may be using an IP address that originates in the EU. Unsubscribe requests were processed. Email preference pages were created. Privacy policies were changed. It was a marketing frenzy.

However, information security marketers need to proceed with caution. The data protections laid forth in GDPR should not be treated as a one-time concern. This should be an ongoing effort to be more mindful and transparent about the way data is collected and processed.

GDPR specifies that businesses that control and/or process personal data are now responsible for the security of that data, and responsible for compliance with all new and enhanced rights. “I didn’t know that was the law” and “I’m not sure how that information was accessed” aren’t excuses anymore. The specifics of these new rules include but are not limited to:

  • Clear requirements and instructions for opt-in and unsubscribe requests
  • Privacy policies that are accessible, understandable, and easy to read
  • Limits to how long businesses can hold onto individual information
  • Instructions to comply with an individual’s request that their personal data be anonymized or erased
  • Rules about informing individuals about data breaches

This means that GDPR affects any business department that handles the personally identifiable information (PII) of prospects, customers, clients, users, and even providers, suppliers, vendors, and partners. Of course that includes the marketing department. However, it also affects the finance department, human resources, information security and technology, and anyone who defines business processes and policies.

The focus on individual data privacy is very likely to translate into newer and stricter standards beyond the EU. Even for businesses not affected by the EU, the GDPR provides a framework for a new way of thinking about the “why” and “how” of data protection practices across the entire organization. This is an opportunity to take a closer look at your current information security programs and policies.

Post-GDPR Implementation and Data Retention Considerations

When it comes to PII or Health Insurance Portability and Accountability (HIPAA) information, retention policy applies across all departments, and information technology (IT) systems are automatically identifying this data.

For instance, if your company is using Office 365, you’ll have policies in place to tag and retain HIPAA and PII data. The IT department plays a vital role in this entire process. They should also review the security of internal tools that hold onto individual data, including accounting software, customer relationship management (CRM) solutions, project management tools, client-facing applications, and others.

Here’s how other departments should approach data retention:

  • Department heads should analyze when they capture individual data, how they use that data, and when they don’t need that data anymore
  • The development team should work with IT to determine how test data is secured in sandbox environments (hosted in public cloud environments like AWS or Azure), and how long is it retained
  • The marketing team should utilize a database that clearly captures opt-in information and provides an easy, clear process to unsubscribe
  • The legal team should understand all data privacy laws and their potential impacts on the business
  • The security teams in charge of cyber security and information security should also review their current incident response policies

This information should then be used to develop policies defining how to identify and manage all individual data, maintain data hygiene, secure databases across all tools, address data breaches, and monitor the overall data ecosystem. The result will be clear and correct data privacy policies and processes, an improved understanding of how everyone can work together to secure data, and a stronger defense in the event of a data breach or a data privacy complaint.

It’s also critical that companies establish ongoing training, education, and programs to create a culture of accountability for data privacy and protection.  Our cyber security analysts go through annual PII/HIPAA training to ensure that they know what type of data fits into these categories, and what to do if they come across this information. For certain business certifications such as SOC 2 Type II, annual training is required.

Summary

From both a marketing perspective and a business-wide perspective, approaching the post-GDPR world means elevating the importance of privacy for all data-driven initiatives. As Gartner analyst, Bryan Yeager, stated, it’s time to think about how you can use a pivotal moment like the GDPR to engender value and trust in your future engagement with customers.

This is also the perfect time for your organization to start looking at the entire data security spectrum beyond individual data privacy, to better prepare for the potential of future regulatory requirements.