Q&A with Nintex vTE Simon Wright: New GDPR Legislation
Simon Wright is a Nintex vTE (virtual technical evangelist) and the founder and CEO of Britecloud, a value-added distributor and Nintex technology partner working with organizations across Europe, the Middle East, and Africa to digitally transform their processes.
We talked with Simon to learn about what organizations can do to comply with GDPR, the new EU legislation coming into effect May 25, 2018.
1. Can you explain exactly what the GDPR is and who it affects?
The GDPR is a change in European Union (EU) law designed to harmonize data privacy approaches across Europe and to protect all citizens from privacy and data breaches. The regulation redefines how companies must approach Personally Identifiable Information (PII).
The regulatory change is not just focused at EU citizens. It protects and increases the rights of people residing within the EU boundaries, essentially giving them ownership of their own personal data and how it is shared with organizations.
GDPR is also not limited to EU businesses. It affects any business worldwide that has customers or employees within the EU.
2. Why is the GDPR being enacted?
The current data protection laws were written in a time where the ability to share data as easily, and in such huge volumes, didn’t exist. The internet and modern collaboration platforms were in their infancy, as was data privacy legislation.
About 20 years later, we’re creating and sharing data with organizations on a massive scale as part of every digital transaction. This modern technology necessitates modern legislation that is fit for purpose.
A first and last name, address, date of birth and medical information are very descriptive and potentially harmful if they end up in public hands. The new regulation seeks to protect citizens from the potential damage they would face if their Personally Identifiable Information (PII) was breeched.
3. How do these regulations affect how businesses are conducted, both in and out of the EU?
The changes will be drastic for some organizations, while others may not feel the effects as greatly, depending on the type, scale, and global reach of the business. Organizations that collect vast swathes of data for marketing purposes, those with diverse and disparate online customer bases, or those servicing large proportions of the population such as government or medical organizations will have to work hard to comply with the new regulations.
There are areas of the new legislation that are easy to understand, such as the need for:
- An appointed Data Protection Officer at each organization
- Reports of data breaches to the enforcing body in the organization’s jurisdiction within 72 hours. For the UK, see the Information Commissioners Office (ICO)
- A mechanism to provide EU citizens with access to the data which an organization holds on them
- A method for EU citizens to invoke the right to be ‘forgotten’
Think of these regulations in relation to your own business – how easily would you comply today?
4. What are the benefits of the GDPR, both for individuals and for organizations?
There are many benefits of GDPR legislation. For organizations, there will be benefits like:
- Being a leaner and more agile business
- Having a mature approach to risk management
- Improved reputation in the market
- Increased customer loyalty
- More accurate and actionable data
- Reduced likelihood of data breaches and data losses
Many organizational benefits are also benefits to the individual, as well. Individuals will have more control over their personal data and peace of mind that their data is safer in the hands of compliant and responsible organizations.
5. What are steps companies can take to tackle the GDPR head-on?
There is a ‘simple’ four-step approach to getting and staying compliant:
- Discover what you have. How does data get into your systems and what is it used for? Who can access it? How much of it is sensitive? How long do you keep it and why?
- Manage those systems and data. Decommission legacy systems. Migrate data to modern, controllable platforms. Delete unwanted data. Discover, classify, and control important and sensitive data. Put systems in place to detect breaches. There multiple ways to modernize and streamline your systems while working toward compliance.
- Control target systems, data, and processes. Use discovery, classification, policy, and process platforms to enforce corporate data handling processes.
- Report on organizational health and risk. Understand what overall risk you are carrying as an organization, drill into individual Subject Access Requests (SARs), and gain visibility into internal data handling exceptions.
This approach should leave your business leaner, more modern, and more agile.
6. How can Nintex’s Intelligent Process Automation (IPA) technology help organizations comply with the GDPR?
Compliance is all about process, and the GDPR is no different. The key to remaining compliant is the ability to demonstrate to enforcing bodies that business processes are documented, fit for purpose, repeatable, and adaptable.
Compliance means lower risk of fines or sanctions, increased corporate reputation and brand value, or even something as simple as continuing to hold a license to operate.
7. Can you give some examples of solutions you could automate with Nintex Workflow Cloud to help comply with the GDPR?
The are some implicit processes you will need to have in place come May 25th that allow a data subject to exercise their new rights. These processes include accessing, exporting, updating, deleting data.
Organizations should also consider processes around consent. Collecting data for marketing purposes is fine, so long as those processes are GDPR compliant. Think about where you collect personal data and put a compliant process around it.
- Website contact forms
- Trade show lead collection
- Consent confirmation for third party marketing lists
- Data subjects updating consent and marketing preferences
8. What is the most popular concern you hear from your clients in their journey to GDPR compliance, and what advice do you give them?
Two main topics come up when organizations start thinking about GDPR:
- How do I find out what data I have and if it contains PII, sensitive PII, and PCI?
Businesses need a modern technology solution to perform discovery, classification, and control. Trying to achieve these manually will take far too long.
- How do I manage Subject Access Request processes and case management tracking?
Processes should be mapped out, agreed upon internally, ratified by the organization’s legal representation, and implemented using an automated solution. Automating these processes means the organization can now report accurately on their current level of risk and limit the chances of human error or human-centric delays.
9. Every company is different, which means their processes will look different. How can an organization customize their GDPR automation goals to fit their operating model?
Companies are choosing many different routes to tackle GDPR, and each comes with a set of challenges:
- Commercial-off-the-shelf-solutions (COTS) – Potentially quick to implement, so long as your organization resists working around the solution. Typically, a company’s desire to adapt the solution over time leads to high development costs.
- Build in-house – This is arguably the most adaptable option because it is customized to the company’s needs. However, delivery and adaptation timeframes can be drawn out and high-risk.
- No code solutions – A middle ground, like no code solutions from Nintex, can suit organizations from any sector. Flexibility means organizations can deliver processes they want and need. Standardized templates can get organizations up and running fast. And rapid, agile design approaches mean the solution can easily be adapted as a business matures or legislation changes.
What kind of solution is your organization implementing to become GDPR compliant?