‘EU are the world’: 5 expert tips on GDPR compliance
If your enterprise works with data (and which enterprise doesn’t these days?), you’ve probably been paying attention to the EU’s General Data Protection Regulation (otherwise known as GDPR or simply, “the Regulation”), a new set of rules expanding the privacy rights of all EU citizens.
Recently, “GDPR: Beyond Borders,” a series of expert panels sponsored by Braze, mParticle, and Mailjet, provided an industry audience with key insights on how brands can make the journey to GDPR compliance more easily. If you missed the panels, have no fear—we’ve rounded up the five most essential GDPR tips:
#1 Focus on the spirit of the Regulation
Dr. Pierre-Nicolas Schwab, chairman of the Big Data Initiative at the European Broadcasting Union, outlined what he considered to be the foundations of GDPR compliance.
- Implement privacy by design. Checks and balances for users should be built into everything you do.
- Adhere to a principle of fairness. Assume all users have the same privacy rights that EU citizens have.
- Adopt a code of conduct. Make user privacy a part of your company mission statement.
In short, focus on the spirit of the regulations, as opposed to the bare minimum it takes to cross T’s and dot I’s. Ask yourself and your colleagues how GDPR compliance can best be integrated into the fabric of your organization.
#2 Assume all users are EU citizens
Susan Wiseman, general council of Braze, pointed out that since it’s often difficult for brands to know whether a given user is an EU citizen or not, it’s best to assume that all users are.
Antonis Patrikios, a partner at the privacy informational group at Fieldfisher, added that the GDPR is likely to influence future regulations in Asia, underlining that the impact will be global.
Regarding the rush to meet the May 25th deadline, Patrikios offered a reality check: “Focus on understanding what you need to do and fixing the tricky problems…and then you can sort out the rest later.”
#3 Err on the side of over-explaining to users
Perhaps the most-discussed aspect of GDPR is its consent mandate. Patrikios and Schwab brought out an important nuance: It’s not enough just to ask for permission. The user must understand clearly what exactly their data is going to be used for. To simply state that it might be used in the future, or that it might be shared with partners, is not enough. If you don’t know what you’ll be using a given piece of data for, it’s better not to collect it.
#4 Be your brother’s keeper
Jon Hyman, co-founder and chief technology officer (CTO) at Braze, summing up the essence of data controller/processor partnerships in GDPR terms, explained:
- The Regulation gives users new rights.
- Data controllers are obligated to enforce those rights.
- Data processors are obligated to enable data controllers to fulfill those rights.
- Sometimes, the client of a data processor will be another processor, and the obligation continues down the chain.
Darine Fayed, head of legal at Mailjet, brought a little levity by singing a few notes of “Should I Stay or Should I Go” by The Clash, illustrating the need to abandon vendor relationships that are not conducive to compliance. Every department must maintain a list of outside partners, and each of those partners must be surveyed about their data usage to ensure that there’s no weak link in your GDPR compliance efforts.
Hyman noted that finding GDPR-compliant partners is not so different from finding partners that are compliant with other regulations, such as SOC 2. He noted two major considerations:
- Understand exactly what data you’re sending them, and why: Is it more than they need?
- Determine the risk differential in working with one provider vs. another.
Fouad Khalil, head of compliance at Security Scorecard, offered an upbeat perspective: the pressure of an upcoming audit can bring real clarity to operations. Priorities become easy to set, and less important projects automatically take a back seat.
Ben Hoxie, Director of Product Management at mParticle, and Kate Hooker, who leads the legal department at Greenhouse Software, worked with Marissa Aydlett, head of marketing at Braze, to outline the steps to figure out your GDPR prioritization:
- Do an impact assessment.
- Form a committee of internal stakeholders.
- Get legal help.
- Keep contracts up to date.
- Make sure you know who all your vendors are.
The panelists also discussed the importance of establishing a process to keep internal teams aligned. The key is building cross-team collaboration into the compliance process, ensuring that your GDPR compliance efforts have multiple internal champions and that all teams feel they have skin in the game.
Speaking of different perspectives between departments, Hoxie pointed out that, while the GDPR’s ambiguity may be frustrating for a lawyer, “for a product person [the ambiguity] is kind of fun because there’s a little bit of room to swim. To…’build a flexible solution.’”
Khalil said: “As an auditor myself, even if you are not at a point of compliance, but you show progress, you show a date when you’ll satisfy the law, that’s a good step.”
In other words, don’t let perfect be the enemy of good: Just get started. For more insight, watch the complete “GDPR: Beyond Borders” session here.