Meet the Demands of GDPR Compliance
Retailers must invest significant effort and resources to keep customer information private.
- by Mike Chapple
Many organizations missed the deadline for compliance when the European Union’s General Data Protection Regulation went into effect in May 2018. Achieving compliance can be challenging, but it is an undertaking that should be approached seriously.
Retailers should understand that getting to GDPR compliance is not a rapid process. Depending on the complexity of the organization and its state of current security and privacy controls, it may take a year or longer to achieve initial compliance. Once a retailer does achieve initial compliance, maintaining compliant status requires an ongoing investment of time and money in maintaining, updating and monitoring the security and privacy of customer information.
Retailers should plan to work with their own technology and business teams as well as business partners to engage in a four-phase remediation effort that begins with building a data inventory, continues by conducting a gap analysis of existing controls, prioritizes remediation efforts and finally implements a compliant solution. This process may include multiple cycles of planning and implementation that help the organization make steady progress toward a fully compliant status. This progress provides an important demonstration to regulators that the business is committed to customer privacy and complying with GDPR.
Phase 1: Data Inventory
The data inventory builds the foundation for the entire compliance effort. Retailers must scour all their existing systems and business processes to identify the types of information they currently collect, store and process. This inventory should clearly identify all of the locations where the organization stores personal information, as well as the security controls that exist around that data.
At the conclusion of this process, the Data Protection Officer (DPO) should have a strong understanding of the retailer’s data environment. While storage and processing may not yet be compliant with GDPR requirements, this is the first important step toward achieving that goal.
Phase 2: Gap Analysis
With the data inventory in hand, the DPO may now begin the process of conducting a GDPR gap analysis. This includes analyzing the organization’s business processes to verify that all personal information is collected for a legitimate business purpose and that the organization is meeting the transparency and consent requirements of GDPR. The gap assessment should also verify that the technical controls in place provide adequate security for sensitive information.
The final product of the gap analysis should be a listing of all of the control deficiencies in the organization that might require remediation. This may include a listing of stored data elements that are not necessary for a legitimate purpose and should be deleted, gaps in the consent process requiring that the organization contact customers, policy revisions necessary to meet GDPR regulations and technical control shortcomings.
Phase 3: Prioritization and Planning
The gap assessment represents the basis for a project plan designed to move the organization to a fully compliant position. The team developing this project plan should prioritize efforts based on the cost and difficulty of each initiative, balanced against the degree of risk reduction each would achieve.
The project manager may then use this prioritized list of efforts to develop a detailed project plan that includes a listing of key deliverables and target milestone dates. The speed of remediation will depend on the priority placed on compliance by the organization and the financial and human resources available for the effort.
Phase 4: Implementation
After completing the prioritization and planning phase, the organization moves into implementation mode. This effort will most likely include a wide variety of projects designed to revise business processes and roll out new technologies.
Many of the projects in a remediation effort will be one-time initiatives designed to achieve initial compliance. For example, the organization may need to reach out to all existing customers to notify them of privacy practices and obtain explicit opt-in consent for data processing to continue. Similarly, the organization may conduct a search of employee workstations to identify any personally identifiable information that is locally stored and transfer that data to an approved, secure location.
Other projects will build the systems and processes required to maintain long-term compliance with GDPR obligations. For example, a project might develop the process that receives and fulfills customer requests for data export or erasure. Similarly, a project might create an ongoing process for monitoring the organization’s data loss prevention system.
One of the most visible effects of GDPR is the wave of emails that consumers received as the compliance deadline approached. These messages notified them of changes to website privacy policies and terms of service designed to comply with GDPR provisions and asked them to provide explicit consent for data processing.
In most cases, organizations will be able to create the required GDPR documentation by revising and supplementing their existing privacy policies. These revisions should include clear descriptions of the organization’s privacy practices, as well as required disclosures of how consumers may exercise their right to access data and their right to be forgotten.
To learn how your retail organization can handle the challenges of GDPR, read the CDW white paper “How Retailers Can Deal with the New Reality of GDPR.”