The Content Management Industry's Headline News, Articles & Advisory Resource CMS-CONNECTED MEDIA CORP

David Komarek Mapping Out the Steps to GDPR Compliance

The drumbeat has started to pick up as we are getting closer to the General Data Protection Regulation (GDPR) deadline of May 25, 2018. A breach of the GDPR can result in fines of up to €20 million or 4% of annual global turnover (whichever is greater) and Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements. Therefore, on one hand, many vendors are striving to add necessary capabilities to their platforms, on the other hand, they help their customers prepare for the new regulations before they take effect. In fact, last week, Kentico had a one-day event dedicated to the GPDR in London to give the audience an overview of the GDPR and what content management systems’ role is in making GDPR compliance easier to implement. Our media reporter Laura Myers was on location in London to capture the buzz and conversation on the event floor as well as to conduct exclusive interviews with the experts. To that end, she interviewed one of the keynote speakers, David Komarek, Product Owner at Kentico Software, to inquire with him about his experience with the project of mapping out the necessary steps to GDPR compliance from a customer perspective.

To understand the customer perspective, David and his team developed their own sample site called “Dancing Goat” (loved the name) so they could gain the firsthand experience needed to see what their customer will exactly go through and how helpful Kentico’s platform could be on their GDPR journey, as well as what else Kentico would improve upon. What they have essentially examined with that sample site was Data analysis, GAP analysis, and GDPR implementation.

The steps of data analysis consist of categorizing personal data, identifying owners and locations of personal data, identifying sensitive personal data, identifying purposes, personal data security risks analysis and, identifying processes related to working with personal data. During the interview, David stressed that the data audit process may get quite intense when organizations are going through GDPR preparation thus he suggested to bring in a legal expert and take their legal advise seriously. For instance, when the Kentico team completed their data analysis, they identified some inconsistencies for the purpose of data processing and the license for such processing which is in direct breach with Art. 6 of the GDPR, which states the conditions for lawful processing. In that case, what David recommends to solve these inconsistencies is gaining consent from the data subjects.

The steps of GAP analysis that Kentico ran for their sample site, Dancing Goat, included legal title or consent for processing personal data, data minimization, Privacy by design and Privacy by default principles, the need for DPO and the need for DPIA (Data protection impact assessment), review of existing documentation and information provided to data subjects, data subject rights implementation readiness (Right to access, Right to be forgotten, …), data processor agreements, and data transfer to third parties and countries.

After running these two essential analyses of the data audit process, what Kentico concluded was that their sample site, Dancing Goat, wasn’t dancing well with the GDPR after all. In other words, it is not compliant with the GDPR as the processing misses the requirements of the GDPR on lawfulness, transparency, awareness, and accountability. Here’s a rundown of the reasons why the site couldn’t meet the requirements:

  • The site isn’t prepared to address the rights and requests of data subjects.

  • It doesn’t keep records of processing.

  • Its privacy policy lacks many required points.  

And now, here’s the list by David of what the site needs to address to comply:

  • Procedures to address complaints;

  • Procedures to respond to requests for access to personal data;

  • Procedures to respond to requests and/or provide a mechanism for individuals to update or correct their personal data;

  • Procedures to respond to requests to opt-out of, restrict or object to processing;

  • Procedures to respond to requests for information;

  • Procedures to respond to requests for data portability; and

  • Procedures to respond to requests to be forgotten or for erasure of data.

  • Maintenance of Frequently Asked Questions to respond to queries from individuals;

  • Investigation of root causes of data privacy complaints;

  • Monitoring and reporting of metrics for data privacy complaints (e.g. number, root cause).

“A data inventory or data flow mapping is the first step in any GDPR compliance program,” says David. As a tip, the Kentico team suggests identifying every unique type of personal data (e.g. first name, street, IP address etc.) and for each type, we then assess its attributes, during the data inventory. Here’s a sample of data mapping by Kentico:  

If you couldn’t be in attendance, you can still benefit from David’s keynote as he shared the key takeaways with CMS-Connected:

  • Trying to avoid GDPR is probably not the best strategy

  • You don‘t want to see a conclusion like the one Dancing Goat received

  • Start with mapping personal data you are processing

  • Get as much information from vendors as possible

  • Obtain consents where required

  • Especially when tracking visitors on your website

  • Address data subjects rights

  • You will need a process for it as 72 hours is not much time

My POV

Understanding what the regulation is looking for from a data management standpoint sounds like a great starting point. As it is quite a new area for many of us, bringing the right experts in seems to be a crucial step. In the GDPR scope, from my understanding, consent will be king rather than content. It is certainly a large project to undertake so to allocate on GDPR readiness and compliance efforts will not be cheap. However, when you compare the steep penalty that organizations will face in the event of non-compliance after the GDPR has come into effect, it’s nothing thus as David stressed avoiding GDPR is probably not a good strategy. Despite the fact that a serious effort will be needed to comply, GDPR is a change for the good as the current policy is putting consumers in a very vulnerable position considering we all leave a trail of data about ourselves whenever we interact with sites without even knowing who is using it. Putting consumers back in control will construct an environment of trust for everyone. If you are interested in hearing another perspective on the GDPR, check back to our site next week as we will be publishing Laura’s informative interview with Tim Walters, Principal Strategist and Privacy Lead at The Content Advisory, on the notion of data protection by design and what that means for businesses moving forward.

Venus Tamturk

Venus Tamturk

Venus is the Media Reporter for CMS-Connected, with one of her tasks to write thorough articles by creating the most up-to-date and engaging content using B2B digital marketing. She enjoys increasing brand equity and conversion through the strategic use of social media channels and integrated media marketing plans.

Laura Myers

Laura Myers

A digital business, marketing and social media enthusiast, Laura thrives on asking unique, insightful questions to ignite conversation. At an event or remotely, she enjoys any opportunity to connect with like-minded people in the industry.