[BreachExchange] 3 Ways Companies Mess Up GDPR Compliance the Most

[Destry Winant]

https://www.darkreading.com/vulnerabilities-and-threats/3-ways-companies-mess-up-gdpr-compliance-the-most/a/d-id/1333734

The best way to conform to the EU's new privacy regulation is to
assume that you don't need to hold on to personal data, versus the
opposite.

The General Data Protection Regulation (GDPR) has been in effect since
May 2018, and companies that have done their due diligence to comply
with the regulation may feel confident they have their bases covered.
However, GDPR compliance rules are not as simple as they might seem at
first glance, and there are special use cases that every company
should consider. If compliance officers rush through checking the
boxes and do not carefully assess the scope of GDPR, and how it
relates to the company's data collection practices, they most
certainly will have holes in their compliance plan.

Here are three examples of frequently overlooked compliance issues
that could put companies at risk.

1. It's not just about consumer data
GDPR was designed to create more protections for consumers whose data
is collected by different companies. But the scope of the regulation
is much more expansive and can be applied in ways many companies
didn't account for in their initial compliance plans. In addition to
consumer personal data, companies are also required to handle the
personal data of employees, job applicants and non-customers (e.g.,
people who fill out a form but don't purchase) with a new standard of
care.

The regulation mandates that all data processing activities have a
legal justification, so the best practice is to collect only the data
that is necessary for essential data processing activities for
consumers, job applicants, and everyone in between. Companies should
evaluate their data processing practices with the goal of data
minimization in order to stay compliant with GDPR.

Recommendation: Don't just review data capture practices; review data
retention practices for all data. Make sure you're properly disposing
of old resumes, employee personal data, and any other records whose
usefulness has expired.

2. Policy vs. Reality
Any company that aims to process personal data must establish policies
governing how data is collected, stored, and processed to stay
compliant with GDPR. While good data governance is the cornerstone to
GDPR compliance, simply having policies in place is not sufficient for
compliance. Companies must go a step further to ensure that employees
fulfill the obligations of data processing defined under GDPR.
Functionally, this means companies are obligated to make sure that
what people do on a day-to-day basis aligns with the GDPR policies.
And if the behavior of employees doesn't meet a company's standards,
then corrective action must be taken.

Often, breach of policy is unintentional — for example, if a customer
support agent is on a call with a customer and saves personal
information about the customer in a system where it does not belong.
Or if an enterprising employee experiments with new software or
establishes free software-as-a-service accounts and forgets to report
them to the compliance officer at the company. While these scenarios
may seem like little issues, they expose companies to big risk because
both examples are GDPR violations.

Recommendation: To mitigate risk, we recommend running frequent "mini"
audits. Our security and compliance team has learned firsthand that
compliance is easiest to incorporate into daily workflow when audits
are part of workflows. While most companies run quarterly audits at
best, annual audits at worst, mini audits that are time-boxed will
signal to your company that compliance isn't a quarterly event but,
rather, a continuous practice. Better yet, automate the audit process
with tools so when policy and reality drift apart, the deviation is
spotted right away.

3. Edge Cases
The data that encapsulates "personal information" under GDPR isn't
always as straightforward as basic demographic information. For
example, job title is an unexpected category of personal information.
Around 99.9% of the time, job title is not considered personal
information that is protected under GDPR, but it certainly can be
depending upon the situation. For example, consider this job title:
Chancellor of Germany. There is only one person in the world today
that holds this position, meaning the identity of the individual can
be revealed by this particular detail. So, in this case, job title
must be considered personal information under GDPR, and is therefore a
protected class of data. The catch is if one job title counts as
personal information, then all job titles must be considered as
potential personal information and treated as such.

Recommendation: As part of your regular data audits, allocate some
time to look at the information you collect that you don't mark as
personal information. Just using the "non-personal" information, can a
clever person deduce if a data point belongs to a specific person? If
so, then you might want to rethink what's personal information and
what is not.

Complying with GDPR is more involved and extensive than it initially
appears, but it is not an impossible standard. The best advice is to
assume that you don't need any data versus the opposite, that you do.
In this way — in the spirit of GDPR — companies will inevitably
provide the highest-caliber personal data protection for their users
and ensure accountability for personal data processing throughout the
organization.