©2018 DOCUMENT Strategy

This article appears in the Summer 2018 digital issue of DOCUMENT Strategy. Subscribe.

The General Data Protection Regulation (GDPR) has officially gone into effect and is undoubtedly a transformative piece of legislation for organizations operating in the European Union (EU). Yet, there is still much to learn about the new regulation, as executives and enterprise leaders are quickly discovering.

While it’s still early days, many organizations are running into several common questions and challenges when implementing the new rules of the GDPR. One area that is still very new for companies is addressing the requirements for data subject access requests. Organizations are struggling to understand exactly what data is necessary from a data subject in order to process their request as well as how to ensure the legitimacy of the request and the identity of the individual making the request.

Certainly, these are issues that organizations have been preparing for in advance, but the reality of processing these requests (some of which are very broad) are compelling organizations to reexamine their processes and their effectiveness in meeting these ensuing requirements under the GDPR—especially those practices for confirming and authenticating the individual making the subject access request.

Why are some companies so concerned about their vendor relationships? Under the GDPR, it is up to the data controller to ensure that all their data processors are compliant with the regulation.

Another area that remains unclear for organizations revolves around the required communications to customers, clients, and other parties. Since late May, we have all been receiving messages seeking to confirm our interest in remaining on an organization’s email distribution list. Companies, especially those that may be a bit behind the curve, continue to have questions about what they need to do in terms of organizing and issuing such communications. Many are still uncertain whether this authorization or consent is needed in order to market to these individuals.

A number of organizations, vendors in particular, are also unclear about validating the security of their controls. As expected, companies want to know whether the security policies and practices of their vendors are up to GDPR standards and whether these vendors consider themselves to be GDPR-compliant. Typically, third parties will receive questionnaires from client companies, some of which may contain just a few questions while others can be extremely detailed with hundreds of questions. Not surprisingly, third parties have their own questions about how to respond effectively.

Why are some companies so concerned about their vendor relationships? Under the GDPR, the requirements flow downstream from the data controller, the entity that originally receives the data (or whatever personally identifiable information is collected) from the data subject. Vendors, who receive this data from the data controller, are considered to be data processors. It is up to the data controller to ensure that all their data processors are compliant with the regulation.

We see two activities taking place here:
  • The first involves the contractual obligations a company seeks from a vendor. The company (i.e., the data controller) will send a data privacy addendum for their contracts to all the vendors that have access to GDPR-relevant data.
  • The second activity involves the company seeking to ensure these vendors are not only compliant with their contractual obligations but also with GDPR ones as well. In this vein, many companies are expanding or launching third-party security and privacy assessment programs. Generally, this takes the form of surveys that are distributed from the upstream data controller to their data processors, which involve questions about their compliance practices and how they handle their data and security controls, among other topics.
Many data controllers already have such vendor security programs, but with the GDPR, companies are expanding their existing programs or implementing new ones to incorporate more privacy-related terms as necessitated by the GDPR, as opposed to specific security-related activities.

These are a few initial challenges that companies are reporting early on in what most assuredly will be a long GDPR journey. More challenges will certainly arise, particularly once regulators begin assessing GDPR compliance in detail.

Jeff Sanchez is a Managing Director with Protiviti, a global consulting firm. He is a leader within the firm’s Security and Privacy practice and leads Protiviti’s GDPR practice. For more information, visit www.protiviti.com.