You are a Manager responsible for the for one or many of the applications enabled by your Enterprise Service Management solution. Your enterprise has kicked off the GDPR compliancy gap analysis. What do you need to expect and what is expected from you in this project? Read on to discover the Top 10 steps to Prepare for the GDPR Gap Analysis.
Several large enterprises are running currently the GDPR compliancy gap analysis, also called the GDPR readiness analysis. Some organizations have completed it already. The gap analysis is the first step out of the three major steps towards the GDPR compliancy.
The other two steps are:
- implementation of required changes and
- the GDPR compliancy audit.
IT leaders need to provide the necessary documentation and information for the GDPR gap analysis to be completed. I collected a list below of 10 things that are essential for the business owner of the Enterprise Service Management solution:
- GDPR accountability and the Data Privacy Officer
Accountability for personal data is one of the big changes in the new legislation. If an organization is controlling the use of personal data or is processing personal data on behalf of somebody else, then it has a direct legal accountability for the privacy of such data and therefore the compliancy to the GDPR. Any organization controlling or processing personal data might also be required to nominate a person that is responsible for GDPR compliancy depending on the size of the company and sensitivity of the personal data. That person is called sometimes Data Privacy Officer. In many cases, the person is resourced from the organization reporting to the CIO. In some cases, the Data Privacy Officer is reporting to the Head of Legal. Either way, an organization with over 250 employees should have one. The GDPR gap analysis will check whether there is a clear accountability for the GDPR and that all relevant units including IT know what the role is and who it is.
- GDPR awareness and Design for Privacy competence
Protection of personal data is not a job for a few, selected employees in your organization. You cannot outsource data protection and you cannot rely on your compliancy office (if you have such a thing) to take care it. Data protection is very much a state of mind involving everybody and everything handling personal data. Therefore, the GDPR analysis will check what the current knowledge on the GDPR is on different levels of the organization. The analysis might include interviews of IT people handling personal data and those creating processes managing personal data.
- Data Inventory and Mapping
You cannot protect personal data if you do not know what you’ve got, where you have it, and who else is getting it. Hence, an inventory of what personal data you store in which IT solution will be necessary. And this can be a very tedious job of scanning databases, web pages, and various applications ranging from HR solutions to access management solutions for employees. Data mapping covers your CRM and support solutions for your customers. And it covers your digital records for manging externals, vendors, and subcontractors. Ultimately, you need to create a map on what personal data you hold and for which purpose. The data analysis should include also a categorisation of data on whether it required to hold for regulatory reasons, for providing a service, or whether it is of specifically delicate nature such as gender, race or religion. The solutions operated in IT are holding plenty of such information from the Active Directory, through the Identity Management solution, and the Enterprise Service Management tool serving as single point of record for supplier management. Inventorying and mapping data in the digital solutions in your scope will be a time-consuming effort for the GDPR analysis. Creating a record of which application holds which data, when the last Privacy Impact Analysis has been done on the application, and who is responsible for the privacy of data can be done in an Enterprise Service Management solution.
- Access rights for personal data
Once you have created a map of the personal data you are processing, you should be able to document on who has access to it and why. Fine-grained access management is required for the implementing the principle of Design for Privacy stipulated by the EU legislation.
- Privacy Impact Analysis (PIA) process
Data mapping and access rights analysis will create the foundation for protecting personal data. However, any organization needs to be able to assess whether any change implemented over time after the initial GDPR gap analysis impacts personal data privacy. Privacy Impact Analysis guidelines for change management projects help to maintain GDPR compliancy over time. The GDPR gap analysis will check whether a PIA is part of your change management process, whether project or program managers know how to implement them, and whether guidelines in IT exist on how to deal with personal data risks identified in the PIA.
- GDPR-related incident process readiness
Is there an incident management process for GDPR-related privacy breaches? Are the necessary escalations to the CIO or CSO in place? Can the Data Privacy Officer follow in real-time which privacy risks occur and how the remediation in progressing? Are the notifications and escalations in place to ensure that supervisory authority notifications are sent as soon as possible but not later than in 72 hours? These are questions that might be asked in the GDPR analysis from ITSM business and process owners.
- Right-to-erased and pseudonymization capability
As part of the GDPR compliancy, organizations need to consider that customers, employees, and subcontractors have the right to be erased, also frequently referred to as right-to-be-forgotten. The GDPR gap analysis may include checking whether procedures and capabilities to erase all personal data (or the anonymization of such data) exists. The analysis may also include a recommendation to automate right-to-be-forgotten requests from customers, subcontractors, and employees to establish a timely execution in line with the spirit of the GDPR. Are there workflows for handling such requests in IT? Are there means to remove personal data on request and create an audible trail that such a request has been recorded and executed in line with the internal policies?
- Data retention strategy
Extensive back-up and data retention procedures storing data in offline media for years to come will make it very hard (to a degree of being impossible) to fulfil the right of every EU citizen to be forgotten by your organization on request. The right-to-be-erased means that IT needs to either remove the related personal data or anonymize the data so it cannot be linked to the individual human anymore. The GDPR gap analysis is likely to record the data back-up and retention policies for data containing personal data including a categorization of which data must be stored for regulatory reasons. Some leading consultancy organizations have gone as far to recommend a complete overhaul of the data retention rules for the GDPR compliancy focusing on storing only a minimum of personal data for a minimum amount of time. The IT organization as operational unit providing data processing capabilities for any B2C, B2B, and HR business will be essential in this angle of the GDPR gap analysis.
- Consent management capability
Customers and employees have in the future the right not only to know what personal is being processed and stored but also the right to reject the consent to storing and forwarding such information. Enterprise and consumer web services will be under scrutiny in the GDPR gap analysis to identify whether means to gather and revoke consent in each service exist and whether the purpose of using such personal data is transparent to the user. Is an audit of consents per service given possible?
- Vendor management process
The accountability for GDPR compliancy does not end inside of your organization, enterprise, or corporate. Any subcontractor or service provider that processes personal data you control on your behalf must comply to the GDPR as well. Do you have a single record of the GDPR-compliancy status of your vendors? Do you know the DPO of each vendor? Does your vendor contract template include provisions and considerations related to the personal data and privacy? The GDPR gap analysis will verify how ready your vendor management is. Even with many enterprises in-sourcing some IT services again, today’s IT landscapes includes a multitude of subcontractors and suppliers. IT has a vital role in ensuring the GDPR compliancy of those vendors processing personal data on their behalf.
A GDPR gap analysis creates a significant amount of effort in the IT organization. Some of the activities can be outsourced. Data mining services can be bought from professional big data consultants with powerful scanners. The results of data mining can and should be recorded in an Enterprise Service Management solition such as Efecte Service Management. Privacy Impact Analysis (at least the initial ones) can be implemented jointly with legal service providers such as Bird&Bird. Security incident workflows, consent management and access management changes can be designed and implemented together with Efecte as a partner.
But one cannot outsource the responsibility to data privacy in the eyes of the legislation. As always, it’s better to be prepared for such a major project than be surprised. A GDPR gap analysis is not rocket science, but it will take time and resources from IT.
If you want to know more about the GDPR and how Efecte can help you, please do contact us and we will help you with your GDPR gap analysis for your Enterprise Service Management solution.