GDPR Case Studies and Practical Examples: How did companies start data protection?
Upon the rollout of GDPR, many US companies were left wondering what they needed to do. Numerous businesses were slow to take action, and in spring 2018, most of them were not prepared for the new legislation. When the GDPR compliance deadline of May 25 passed, we reached out to various enterprises and SMEs and asked them to share the steps they took while starting the process as well as their practical GDPR case studies and success stories.
Practical GDPR case studies: Initial steps
Where did companies start their GDPR course and which steps did organizations take to comply with GDPR? Companies have provided practical GDPR case studies and real-life examples of how they handled a two-year period after GDPR was announced in April 2016 and how they protect their clients’ personal data today.
Each company defined its own stages of GDPR compliance. Nonetheless, compliance with GDPR was mostly initiated with understanding the purpose of the regulation and identifying customers’ data.
1. Reading the law and figuring the GDPR purpose out
Undoubtedly, it is crucial to be aware of who is subject to GDPR compliance, its purpose, requirements, and penalties. Without necessary knowledge of the law, a company would not be able to draw a plan and to build a program that is relevant to its scope and tasks.
“For GDPR compliance, I started by reading the law cover-to-cover (260 pages) and I created my own summary of what rules applied to my business. That became the template of what I used to help my clients with their GDPR compliance”, noted Owner/Attorney at Carter Law Firm, PLLC Ruth Carter.
“A year later, in September 2017, we really started getting serious about the details of each clause about the protection of personal data. Like many of you, we also attended webinars and read voraciously“, stated CMO at Bedrock Data Zak Pines.
“You can’t thrive under GDPR if you don’t understand it. Reading the legislation, articles related to the related industry, and participating on discussion boards, as well as disseminating that knowledge to the rest of the company. Sorry, but simply reading a few short articles isn’t going to cut it for a massive and complex topic like GDPR”, said CMO at HEXONET Services Inc. Tony Kim.
2. Answering 3 cornerstone questions – What, How, Where
Alexandra Bohigian, Client Relations Coordinator at Enola Labs Software shared one of the GDPR case studies beginning with considering three key questions – What, How, Where.
- What data does your company currently collect? Did you receive consent to collect this data from users? If unsure, you should send out a notice to customers explaining what data you are currently collecting.
- How is this data collected? You must notify users about the data you are collecting, why you are collecting it, and what you are doing with the data. Users must consent to this and be able to view and/or delete this data at any given time.
- Where is this data stored? Companies must tell users how long the data is going to be stored for and how it is being kept private.
All companies having websites that used personal data referring to a name, address, email address, IP address, and analytics needed to modify their processes. “Information is power, but sometimes less is more. To achieve GDPR’s requirements, it is important to focus on what you really need to do your job”, commented Sophie Miles, CEO of CalculatorBuddy.com.
“This is an essential step that can help to weed out potential problems such as storing data with non-compliant third parties”, said Ben Taylor, a serial solopreneur and Founder of Home Working Club.
3. Getting professional legal assistance or hiring a DPO
Under the section 7, GDPR requires some organizations to hire a Data Protection Officer playing an important role in obtaining data legally, processing carefully and putting checks and balances in the system to protect the data.
Robert Rauch, President and CEO of RAR Hospitality, asserts, “At RAR Hospitality, we do not use administrative assistants and hence, we all must be tech-savvy. But there is a material difference between ‘tech-savvy’ and an IT expert. Immediately upon hearing about GDPR, we hired an IT expert who has expertise in hotels. There were two areas where we concentrated: GDPR and PCI Compliance”.
If you think about GDPR, the very first thing that comes to mind is complying with the rules. Nonetheless, GDPR is more than this. What counts here is that Data Protection regulations refer to the commitment to privacy that must be demonstrated. It is necessary in order to be able to defend a company in court for the GDPR violation. Therefore, the company should document all the processes, people, reviews, audits, and problem handling.
“As the BlackBerry DPO, I’ve been working for some time with a strong and collaborative cross-functional legal and cybersecurity support team; we have kept good records and documentation of our compliance efforts, and we have updated our internal policies and processes to ensure privacy is embedded in our thinking; from how we develop our products to how we engage with our customers”, commented David Blonder, Global Data Protection Officer at BlackBerry.
“Having a documented data map goes a long way towards having “demonstrable proof” of efforts to comply with the legislation”, added Ben Taylor.
Practical GDPR challenges
Andres Angelani, CEO at Softvision emphasized one of the GDPR case studies focusing on the following:
- Ensuring our tools don’t store or process sensitive data, per the GDPR developer and compliance guide;
- Ensuring all our deliverables (code, test cases, documentation) conform with the GDPR developer and compliance guide and don’t contain data related to our client’s users and customers;
- Actively monitoring cookies and how they’re used, making sure they’re categorized and used correctly and that any cookies marked as removed are no longer present in any part of our apps;
- Relevant to QA, including a subset of test cases which are executed with each release that validates GDPR requirements that are present inside the app (terms and conditions, privacy statement, cookie disclosure, device permissions);
- Helping to trim and maintain accurate mailing lists and aliases for group communication and ensure the content of the communication follows GDPR guides.
Robert Rauch said, “As CEO, I personally have been reviewing all of our necessary compliance issues at each hotel. Guest records is one of the most difficult—as an example, it would be virtually impossible to identify which hotel guests were from Europe”. “Payment card data continues to be a popular target with attackers, so we are being diligent and utilizing our IT team to check for 100% PCI Compliance immediately”, he added.
“Achieving compliance with the EU General Data Protection Regulation was by no means easy. The difficult truth of GDPR is that the European Data Commission wrote the regulation in such a way as to leave the burden of defining ‘compliance’ on the organizations it’s meant to apply to. Because of this, businesses have been left to their own devices to both identify and implement GDPR compliance”, noted Ian McClarty, President and CEO at Phoenix Nap Global IT Solutions.
GDPR-compliance long-term effect
How has the two-year GDPR compliance already helped companies? Although some organizations and their clients experienced troubles or fear, the law helps prioritize compliance and eventually raise diligence related to collecting and processing third-party personal data.
Andres Angelani said, “The greater scrutiny that comes with the new GDPR law should not only increase transparency but also benefit and strengthen the third-party data ecosystem. In the short-term, expect regulators to aggressively enforce the law and hold all parties accountable. But once the dust settles, a more efficient and secure data collection and management process will emerge, presenting greater and more meaningful engagement opportunities for both companies and consumers.
“The thing is that there’s no need for these businesses to be fearful of how the GDPR will affect them. Provided they’re making substantial demonstrable efforts to be compliant, it’s actually a big opportunity to get closer to customers, to differentiate themselves competitively, and to move quickly as new technologies emerge that require compliance”, David Blonder told us.
However, GDPR compliance does not mean compliance forever. Most of the GDPR case studies considered the deadline as a start of a process, not the end. Michael Rakutko, Head of Professional Services at ERPScan, co-author of SAP Cybersecurity Framework recommend companies to continue the process and follow the plan in order to carry out tasks required by GDPR:
- Assess data processes
- Identify data items in SAP
- Find users having access to personal data
- Evaluate SAP security controls
- Assess risks to data subjects
- Restrict access to personal data
- Implement and describe security controls to demonstrate compliance
- Manage personal data lifecycle
- Monitor personal data access
- Detect SAP security threats
- Implement SAP incident response capabilities
More on Michael’s recommendations and GDPR case studies you can find in our blog in a series of articles:
- GDPR Explained: What are the Technical Security Requirements?
- GDPR for SAP: How to find personal data and assess privacy risks?
- GDPR for SAP: How to restrict personal data processing?
- GDPR for SAP: How to monitor personal data access?
An important point is that GDPR should not be seen only as a time-consuming and troublesome process, but as an opportunity to finally devote time and budget to cybersecurity, optimizing IT procedures, and prioritizing data. All these measures assist in building closer ties with clients as well as maintaining and even strengthening their loyalty.
A huge Thank You to everyone who helped and contributed to this GDPR-related article.