How should I explain what is GDPR?
The European Parliament adopted GDPR in April 2016, replacing an outdated data protection directive from 1995. According to an Ovum report titled “Data privacy laws: Cutting the red tape”, two-thirds of businesses expect to have to change in their global business strategies to accommodate new data privacy regulations.
At Torii, we get the chance to work with many IT professionals, and since Torii helps IT organizations discover and manage their SaaS applications, we get the opportunity to be involved in their GDPR preparations. With GDPR right around the corner, most of our customers are in the implementation stage and are expected to be compliant by May 25, 2018.
While there is a lot of knowledge shared regarding GDPR, our customers noticed a repeating challenge: getting other departments involved in the GDPR preparations. All departments need to be investing their time to understand the new policies and assess the changes needed.
We decided to take action and help IT professionals explain GDPR in a clear and human-friendly way. It’s a one-pager, that can be handed out to every employee in the company, and have them actually read it, understand and embrace it. The “GDPR Cheat Sheet” can be found at the end of this post.
Getting ready for GDPR could be much simpler if all your data was secured and managed on-premise. However, today we live in the age of the SaaS revolution, which makes it a bit harder to understand and control how and where data is being transferred. Let’s take a minute to think of GDPR from the end user point of view.
How Should I Explain the WHY of GDPR?
We are all aware now that more and more of our personal data is being shared with vendors, services, and even our employers. We live in a more connected world, and companies are getting better at handling and storing large amounts of customer data. We are more open to providing personal data in exchange for a personalized service that is tailored exactly to our needs.
Picture a world with no data breaches and perfect data protection, separation, and respect, where we have no problem sharing our most personal data – we could have beautiful services tailored to our genes, preferences, and thoughts.
Yet, this is an ideal world, but we live in our world. So how can we make sure our most sensitive private information is treated with the respect it deserves?
Let’s follow a simple example. Mike starts using a new tool on the web – “I’m giving you my private details, please treat them with respect, and respect my control over these details.”
Now let’s take a closer look to understand what it means when Mike says:
- Understand what you collect and what you do with it.
- Collect & Guard only what you need.
- Do the right thing about it.
“And let’s agree on another thing. I’m just lending you my data, you don’t own it. I do.”
That’s the basics of why everyone of us needs GDPR and what it means. Once you understand and embrace it, the rest should become easier and more obvious.
How Should I Explain the WHAT of GDPR?
When explaining the “what” of GDPR, we focus on the term “Users,” but GDPR may apply to vendors, employees, customers, and others.
We need to ask and receive permission for collecting or processing information
In the event of a data breach, we need to notify customers of any risk within 72 hours.
Right to access
Users can ask for all the data we have on them and we should be prepared to give it to them.
Right to be forgotten
Users can ask us to erase all their data and leave no trace of them on our systems.
Users should be able to receive all their data in a reusable way in case they switch to another service.
Privacy by design
Our service should be designed from the ground up for Privacy and data protection.
Data protection officers
We will appoint professionally qualified data protection officers if our company has more than 250 employees and engage in the processing of sensitive personal data.
How Should I Explain the Implementation of GDPR?
To simplify, we’ll look at the 7 steps of getting your organization to GDPR readiness:
- Assign Champion
Assign someone in charge of the entire process. And assign owners of data privacy within the different departments that are (or might in the future) interacting with private data.
Map the tools in use in the company, map the business owners for these tools and understand the data collected by these systems.
Perform the data protection risk analysis for the data, your different vendors, and the software you use.
Implement the needed process and technology to support data transfer, data erasing and breach notifications.
Standardize your organization’s data protection policies.
Enforce the new policies on an ongoing basis as this is not a process rather than a one-time effort.
Keep track and document each one of the steps you’ve taken.
GDPR Cheat Sheet
Feel free to Download the GDPR Cheat Sheet and share it inside your organization and with other IT professionals
You should also give Torii - SaaS management a try. With a simple and quick setup, you’ll get instant visibility and control over all your SaaS apps, perfect for GDPR readiness.