Jedidiah Bracy
Publications Editor, International Association of Privacy Professionals
A major swath of the privacy profession is abuzz right now, gearing up for the complex compliance requirements set forth by the European Union’s General Data Protection Regulation.
Order of operations
Companies must document all personal-data processing activities and take responsibility for third-party vendors. Organizations must notify regulators of a data breach within 72 hours, conduct regular “data protection impact assessments,” implement privacy by design and default on new products and services, get consent from users before processing their personal data, make user data portable, machine-readable and erasable, all on demand. If a European citizen objects to automated decision making processes that involve their personal data, companies must assent, and if a business regularly processes sensitive data, it must also appoint a “data protection officer.”
Importantly, companies must be able to demonstrate compliance with all of these rules to an EU data protection authority. Failure to comply could mean fines of up to 100 million euros, or 4 percent of annual revenue.
The stakes are high, and the operations needed to ensure these regulations are met is extremely difficult.
Find the solution
To help fill the breach, an entire industry of privacy management technology has emerged in the marketplace. More than 100 companies now offer solutions that include consent and assessment management solutions, data-flow mapping and discovery services, incident-response technology, activity-monitoring controls, de-identification schemes, privacy information management resources and website scanning tools.
On the whole, privacy management technology is new to the privacy profession, but budgets for these solutions are growing. Though these technologies can be a huge help to privacy pros, they are not “silver bullet” solutions. Privacy officers must still have a grasp of their organization’s business model, IT architecture and data governance strategy. They must stay in contact with their IT, marketing, legal and risk-management teams, and other relevant stakeholders.
For businesses around the world and across industry verticals, the pressure is on, but a large and growing community of privacy pros and corresponding privacy technologies are there to help.