When AOTMP spoke recently with a client whose large, multi-national company has its headquarters in northern Europe, we discovered some specific details about the journey an enterprise might need to take towards GDPR compliance.
While it’s clear that this organization was already practicing robust data protection habits, there were still changes that needed to be made to their current processes to avoid what would be massive fines for non-compliance. This client, who has asked to remain anonymous, is a key leader within the telecom management team and works directly with multiple vendors, providers and carriers on a global scale. He has shared some insight on the necessary planning for legal, security and operational adjustments your teams might need to make now that GDPR has taken effect.
Below are some of the highlights from the discussion. AOTMP was asked to keep the name of his company anonymous due to legal limitations on discussing their corporate policy and strategy.
Q: Prior to beginning the process of becoming compliant, did you have internal training or informational sessions with your leadership teams so that everyone could become familiar with the new regulations?
A: There was full training on the new regulations, including numerous sessions with our telecom teams and IT to go into detail about what they need to understand, how to handle data, the consent required, etc. Those new regulations had to be embedded in the processes and adjusted policy so that all new agreements would be covered. We already had a data privacy officer in place and that office will control updating any data privacy agreements that existed prior to the new regulations (i.e. vendor agreements that must be signed as well as any new agreements).
Q: Did your team spend significant time doing a risk assessment before you created a project plan for compliance? If so, what kinds of information did you include in that assessment?
A: The security department went through all the existing contracts to be sure that the data privacy agreements were strong as well as to identify gaps and address those gaps. If there wasn’t a DPA in place with a vendor, then the time was taken to get one put in place – which can be a time-consuming effort, so I recommend making this a priority. For sourcing and procurement, the rule has been changed to make having a DPA in place a standard rule. In fact, for telecom expense management particularly, the DPAs that were already in place were even stronger and had been based on rules that are more stringent than GDPR compliance regulations; so, they have become a kind of template for other areas of our company to use. Our legal team worked to create all the templates in conjunction with our Data Protection Officer to ensure every aspect of GDPR compliance was completely covered. Also, if a vendor wants to make changes to our standard DPA, it then requires both the vendor legal and our corporate legal teams to come to agreement on terms.
Q: Did your company do an internal audit of information and data to create a baseline of personal data that is currently under the purview of the company to cover the GDPR compliance accountability principle? If so, how long did that audit take to complete? What areas of the company contributed to that data inventory?
A: Initially our data security team had taken all our existing contracts and reviewed them, then assigned tasks to perform based on the vendor, issue, etc. The more challenging aspect of things came when an individual was using a personal device for work or to perform limited work functions. When it comes to BYOD, it is very necessary to designate which parts of the data on those devices are “owned” by the user versus the company. A best practice is to use containerization on those devices to protect the corporate data specifically. We utilize strong mobile application management (MAM) services so that there is a clear demarcation of work and personal data. For example, if you only want access to emails for work, you can use MAM to segregate that data from personal data.
Q: Were there changes that had to be made to your systems or processes to allow for things like right to erasure, right to restrict processing or data portability?
A: For the most part, we already had systems in place for those procedures. The one piece that had to be accounted for that are part of GDPR compliance is when someone chooses to “be forgotten,” which means a certification must be provided, when requested, that proves the data deletion was done completely. That was not something that we previously were supporting, so had to be created.
Q: Were there significant updates or changes necessary to become compliant with the new GDPR compliance consent guidelines? If so, how long did it take to get those in place or to make the necessary updates?
A: Some small changes were made to some of the applications being used so that consent could be captured. Originally, our thought was to link our travel expense management systems to our current telecom expense management systems, but we discovered that there are specific areas of “profiling” that tracking that data might violate. The consent given for the travel management programs to know personal information doesn’t, by default, also allow the telecom expense management programs to know and access information. However, from a telecom expense optimization standpoint, there are some very clear indications that linking these systems could be a significant cost-saving effort. We are continuing to work on a solution for how we can put this in place while still staying compliant with GDPR.
Q: In the case of the DPIA requirements for new technology, did you alter your organizational structure to allow for having dedicated resources to conduct those assessments or are you planning to absorb that extra step within existing project management teams whenever it becomes necessary?
A: We already have some data security teams that can do these DPIAs when needed. We’ve also found that we can get much of the necessary information from the vendor. There was no real need within our organization to have dedicated resources for this aspect of compliance.
Q: How did your team determine a lead supervisory authority due to the multi-national aspect of your business?
A: In our case, since there were multiple potential offices that could be used to define our lead supervisory authority, the selection was made by our CEO. That doesn’t change the fact that it was necessary for this project to have global scope, which meant that all our offices in the world are now required to be GDPR compliant. It was decided early on that it was not acceptable to take a chance on incurring the fines for non-compliance; the size of our company makes the 4% of annual global turnover (or €20 Million whichever is greater) too significant a number to accept. The penalties being so large, we have made it a requirement that every area of IT and telecom across the globe meet the requirements for compliance. It’s been a significant project for our organization, but we have managed to meet the requirements and we did it before the deadline.