Starting May 25, companies that collect or process personal data on EU citizens must begin complying with the EU’s General Data Protection Regulation, but even the savviest of global companies cannot say with any real certainty that they are fully prepared. At this stage, it’s all about doing your best.

That was the overall sentiment expressed during a recent panel discussion at Compliance Week 2018. Jennifer Schack, senior vice president and global head of privacy at global financial services company Northern Trust, summed up succinctly what most companies are thinking today: “What makes me feel somewhat uncomfortable is that there are so many unknowns about this regulation.”

“We have all built our programs based on how we’ve interpreted GDPR, but we don’t know what legal actions await,” Schack added. “We don’t how the regulatory bodies are going to rule, and we don’t know how that’s going to impact our plan and, perhaps, change the course of our implementation strategy.”

And the more products and services a company provides, the more complex GDPR compliance becomes. Fujifilm, for example, offers a broad array of both consumer and business products and services, some of which handle far more sensitive data than other areas—such as Fujifilm’s diagnostic imaging technologies for healthcare facilities, “and so part of what we need to do is a risk analysis,” said Avi Spira, chief compliance, risk, and privacy officer at FUJIFILM Holdings America Corp.

“GDPR is a big motivating factor to get our houses in order.”
Sanjay Manocha, VP of Compliance, Conduit

“The first step I would advise is to really understand your business,” Spira said. Where is the company’s most sensitive data being held? “It’s going to vary business to business, and even within your business from division to division,” he said.

As a 127-year-old company, founded in 1889, Northern Trust has lots of data—both structured and unstructured—and lots of old applications, “and so when we had the opportunity that GDPR gave us to do a data map, we took full advantage,” Schack said. “The data maps for us were a gold mine.”

Part of that data mapping process was achieved by using a new technology that Northern Trust implemented in-house that enabled the business to track data lineage across all applications—such as servers, data centers, geographies, and more. “We started with our high-risk areas,” Schack explained. For Northern Trust, high-risk areas are defined as those that have the largest volume of personally identifiable information on EU citizens.

Specifically, these high-risk areas included human resources, anti-money laundering, and the company’s fund administration business that does a lot of back-office outsourcing for fund management companies, “so we have all their investor personal information,” Schack said. Going through that data mapping exercise for those three high-risk areas and core applications took two years, and it only accounted for structured data.

How prepped are you for GDPR?

Compliance Week polled companies on their GDPR implementation efforts; responses are below.

But unstructured data accounts for most of Northern Trust’s data ecosystem, “so it was important that we not forget that piece of the puzzle,” Schack said. “We had a data loss prevention tool in-house that allowed us to start discovery on our network and SharePoint sites.”

Part of Northern Trust’s data mapping project involved the cleanup of paper records. If you are one of those companies that has piles of unorganized documents in boxes, you need to be educating employees about working with a data records and management service, like Iron Mountain, and learning how to label documents properly, so that they qualify as a relevant filing system from a records management perspective under GDPR.

For Northern Trust, the next step was to go through the process of what to do with those data maps. The first step was to meet with those three high-risk areas—HR, AML, and the company’s fund administration business—and show them what data they held. The key question posed to them was, “‘Do you have a lawful reason for processing that data?’ ” From there, conversations were had about data minimization opportunities, she said.

The last step, which was among the most complicated, was to look at record retention schedules and make sure that data was being purged according to those schedules. “We are working through a lot of that today,” Schack said. “We are leveraging external counsel to make sure we are doing it properly. That is part of our journey that we will be working on for quite a while.”

Next steps

Cédric Dubar, chief ethics and compliance officer at Volvo Cars, recommended that companies look to the Article 29 Working Party’s guidelines, as well as those put out by individual data protection authorities. “It’s important to remember that it’s compulsory for data protection authorities to react when individuals wage a complaint,” Dubar said. “If they don’t investigate the complaint, they can be sued, and so they will go after the company if there is a complaint.”

Already, the U.K. Information Commissioner’s Office (ICO) has signaled its willingness to enforce its data privacy regulations ahead of GDPR. On May 21, the ICO fined the University of Greenwich £120,000 (U.S. $160,000) for what it called a “serious” security breach involving the personal data of nearly 20,000 students, staff, and alumni. It is the first university to have been fined by the ICO under the existing Data Protection Act.

The investigation centered on a microsite developed by an academic and a student in the then-devolved University’s Computing and Mathematics School to facilitate a training conference in 2004. After the event, the site was not subsequently closed or secured and was compromised in 2013. In 2016, multiple attackers exploited the vulnerability of the site allowing them to access other areas of the Web server.

“While the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” ICO Head of Enforcement Steve Eckersley said in a statement. “Students and members of staff had a right to expect that their personal information would be held securely, and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”

The ICO fine is small in comparison to what the GDPR threatens to impose—up to four percent of total annual global revenue or €20 million (U.S. $25 million), whichever is higher. But companies that collect or process personal data on EU citizens should take it as a warning of things to come. On the panel at Compliance Week 2018, Sanjay Manocha, VP of compliance at Conduit, put it simply: “GDPR is a big motivating factor to get our houses in order.”