Perhaps your company hasn’t really done anything to get ready for the General Data Protection Regulation (GDPR), which goes into effect about two months from now.
In that case, it may be time for GDPR triage.
Tim Jesser, director of product marketing for Stockholm-based software asset management firm Snow Software, has a few suggestions. His background includes data security and software management.
First, he told me, “ignore the alarmists.”
“The enforcement won’t be that bad [at first],” he said, “because [the maximum fine] equal to 4 percent of annual global revenue or 20 million euros is for repeat offenders.” Of course, there won’t be many repeat offenders at the beginning.
Next, get a realistic sense of your exposure.
At one end of the spectrum, the most liable companies are those with presences in the European Union (EU) that process personal data from EU citizens.
At the other end are companies elsewhere, with no EU presence, who may inadvertently process personal data of EU citizens without knowing it.
Virtually every company with online activity is somewhere on that spectrum. But even if you’re on the less-exposed end, keep in mind several things.
EU citizens can sue any company in European courts for GDPR privacy violations. Although such litigants are likely to pick their targets carefully, this means that no company is fully immune — even if the GDPR-enforcing authorities are on the other side of the world.
And keep in mind that consumer tolerance for inattention to personal data may well have reached its limit.
The reaction to the Facebook/Cambridge Analytica scandal, for instance, is just beginning to kick in, there continue to be massive data breaches reported nearly every other week, and the ad-blocking trend continues.
All of which means that the following specific steps are desirable and useful even if the GDPR police or litigants never come knocking on your door.
Jesser advises that all companies become familiar with GDPR’s basics, starting with the terms that are now becoming common. There’s personal data (compared to the US’s “personally identifiable information,” or PII), data portability, consent, legitimate interest, “privacy by design,” Data Protection Officers and the like.
In particular, try to assess if/when you will need user consent and how you are going to get it, store it and disseminate it. There are a variety of online guides, including ours. As you consider mechanisms, recognize that the Interactive Advertising Bureau (IAB) and Google are among those that may be offering systemwide software solutions for managing consent.
Then, make sure you understand completely, and in detail, where every bit of personal data resides in your company.
“One of the mistakes organizations are making,” Jesser told me, “is they think they understand their system, but they have [applications and data sets] they don’t know about.” This is particularly true with companies that have migrated to the cloud, where personal data lives in someone else’s environment while its earlier versions may live on premises.
Even without GDPR, a modern company should have a complete mapping of where personal data resides. If you don’t know, hackers certainly will.
This should lead to a full audit of personal data flow in your company, so you can take protective measures along the paths and be prepared to completely delete personal data if so requested by a user. Eventually, you will want to set up a streamlined method for such management and deletions, of course, but first, understand it.
In particular, understand exactly how personal data you’re collecting, processing or storing is shared with other companies and what their GDPR-specific policies are. Data leakage is one of the biggest issues for the successful management of personal data.
Make sure there is security appropriate to the risk, Jesser advises. Don’t just say, “We have a network firewall,” for instance, and leave it at that. Equifax apparently thought it had thrown enough security at its massive store of personal data before it was hacked, even though it didn’t encrypt the data.
Understand how every new project, software development or policy impacts your collection, processing and storage of personal data. In other words, start developing the habit of seeing how every company decision affects personal data, just as you assess how every decision affects your bottom line.
And set up ongoing documentation of how personal data is managed. GDPR doesn’t spell out every kind of implementation, but it does require that companies take full responsibility for managing personal data and be able to show their due diligence.
Of course, the above is a lot to do in eight weeks. But perhaps this gives you some idea of where to get started.
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!