corporate
2018/05/08
 
8 May, 2018 | 3 min read

Wait, I have to have WHAT in place by May 25, 2018?

  • Ishara Naotunna
  • Product Marketing Manager - IAM - WSO2

We’re THIS close to inventing a drinking game everytime someone says GDPR. It’s quite fascinating to see how much is going to change with this regulation. Just like college, everyone is scrambling to meet the deadline of May 25, although the regulation came into place in 2016 and this is technically a “grace period”. Personal data and privacy are more important than anything else. We bet you now regret the time you clicked on “What does your favorite pizza topping say about your personality?” in exchange for all the personal data you submitted at the time - without so much as a second thought.

GDPR is going to change everything and place user consent on top, which is great. But if you’re an enterprise dealing with data of anyone living in the EU, you’ve got a lot to do. We put together a few questions we encountered, let us know if these help!

What exactly do I need to have in place to be in compliance with GDPR?

In this article we’ve listed 7 pragmatic steps you can take depending on where you are on the journey. Here’s a quick look of what they are:

  1. Build awareness around GDPR: in-depth awareness and building in-house expertise on all aspects of the regulation.
  2. Analyze if you’re company is affected: if you’re dealing with PII (personally identifiable information) of “residents” in the EU, then your company must deal with GDPR.
  3. Review the impact of your current data: thoroughly evaluate if all data collection methods used the necessary consent and furthermore, if you are able to demonstrate proof of consent.
  4. Review your systems and processes: review data storage and access mechanisms, and specifically decide if a data processing impact assessment (DPIA) must be carried out. It’s recommended you get a professional’s help with this.
  5. Implement necessary safeguards: adjusting business processes, upgrading software/storage systems, training for staff members, and introducing auditing systems.
  6. Appoint a DPO/EU representative: to address GDPR related matters within the organization such as advising staff members on data protection procedures, monitor compliance, and act as the point of contact for supervisory authorities when liaising with them.
  7. Revise your documents and policies: thorough review of all documents and policies of the organization such as websites, terms and conditions, privacy policies, and social channels.

I’m a company in Milwaukee/Bikini bottom [or insert wherever you’re from]. Should I concern myself with GDPR and if so, to what extent?

As long as you’re dealing with PII - Personally identifiable information of those living in the EU, GDPR affects you. From a small retail company to a large financial organization, as long as you deal with Karen who lives in Norway, your company must be compliant with the law. You can find a link to all the laws here.

Should we extract and provide all of the customer data if requested by the customer? All the data or just the personal data like name, address, email, etc? Should we also extract the old orders that we have stored in the system?

Yes. Absolutely. There’s a right on “data portability”, meaning there should be a mechanism to access all the details if an end user wants to. Remember that with GDPR, it’s all about the customer and their rights must be given the utmost priority.

All data or personal data?

All the data. Whatever that’s stored, for whichever reason, should be made available if the user requests. The key term here is, PII - personally identifiable information. And if individuals want their data erased, you must adhere to it too.

Does WSO2 provide consultancy to make an organization GDPR compliant?

If it involves technology such as using WSO2 products, yes, we can provide consultancy to help your organization. Successful GDPR compliance require changes in people, process, and technology aspects. WSO2's suite of technologies can be used to make your organization GDPR compliant. To reiterate, if you’re looking for consultancy from a technology perspective and if it concerns our products and technology, yes, we provide consultancy based on that.

How can you help me speed up the process? What tools do you provide? / How exactly are you helping to implement GDPR compliance?

WSO2 provides a stack that’s fully GDPR compliant, this includes the WSO2 Identity Server, Enterprise Integrator, API Management, and the open banking solution. This article will help you understand what you need to look for when searching for a GDPR compliant IAM product and how it helps to optimize your GDPR strategy. WSO2’s open source Identity Server in particular can help you save time and cost involved given the consent management and the privacy tool kit in our latest release. Get in touch with us if you’re building your own solution or if you have any questions. What our products will essentially do is, help you build a GDPR compliant solution. You can find out more here.

Should we perform pseudonymization of the database in order to protect our data?

If by our you mean your customer, yes. Performing pseudonymization is in fact a best practice. So yes, by all means. If the end user requested you to erase their data, you should comply according to the “right to be forgotten” rule. Having a proper IAM solution in place to do this would be helpful too. We also have a privacy toolkit that will enable you to do that, learn more here.

We are a company who is doing business with EU customers. We maintain their data in our CRM, do we fall under GDPR? In this case how can we collect consent of customer of CRM?

Yes, you are processing, collecting details of EU residents, therefore you are affected by GDPR.

What if legacy apps are involved?

GDPR is focused on the end user, doesn’t matter how your business does things, whether it is cutting edge or not. So even if it’s legacy apps you work with, you must have processes in place that will bridge between the applications and the regulation.

Are there examples of what other companies have done to become GDPR compliant?

It might be not explicit but if you do a quick search or pay attention to your inbox, a lot of other companies might be already sending you mails saying updating their privacy policies meaning that’s them taking steps to become compliant. And that’s just one part of ensuring explicit consent.

Did we miss a question? Get in touch with us and we’ll get back to you!

Undefined