GDPR is a European Union regulation which mandates compliance in how data operators and data owners manage and secure the personal data of EU residents (citizens and non-EU citizens who reside in the EU). While this is a non-US regulation, it affects almost every American organization because of how data flows around the globe. If your organization collects or processes data on EU residents, you must comply with GDPR with effect from May 25, 2018.
What the exact GDPR compliance requirements are going to be will depend upon your own circumstances, however the organizational challenge everyone faces is effectively managing third-party vendors processing or accessing your data.
This is where HighGear is an ideal solution for extending visibility and control beyond your organizational boundary and into your vendors.
Let’s first take a high-level look at GPDR requirements and set the scene.
GDPR demands greater control over personal data and the safeguarding of the privacy of EU citizens, including:
- Identity information – name, address, Social Security Numbers (and equivalents)
- Online and web data including IP address, use of cookies and cookie data, RFID data, physical access location
- Biometrics
- Racial profile
- Political views and affiliations
- Sexual identity and orientation
GDPR applies to any organization which:
- Has a presence in the EU; or
- Processes data of EU residents and citizens regardless of whether located in the EU or not
and
- Has more than 250 employees; or
- Has less than 250 staff but processes data which affects the rights of EU residents and citizens (unless it is an irregular occurrence) or includes specific types of data considered sensitive.
This is a very broad law which, for instance, catches web visitors coming to a US website which collects information from that visitor. For example, a German resident visits Amazon.com and a cookie is applied, or a transaction entered into (not necessarily completed): Amazon US is caught by GDPR provisions on how it manages and secures the data.
Establishing internal compliance is going to place a significant burden on data and security teams within your organization, but the biggest issue is how to manage compliance and enforcement when your data is being managed or processed by external third-parties.
Whatever your compliance policies and controls, it is vital that you create visibility and accountability into what third-party vendors are doing on your behalf.
This is important because under GDPR if your third-party data processor is not in compliance then neither are you!
This is a glaring risk and creates significant exposure and potential liability for your company, which you can effectively mitigate with a workflow solution such as HighGear.
[Here is a link to the EU GDPR website and portal.]
Using Workflow Software to Extend and Manage Third-Party GDPR Compliance
No-code workflow platforms like HighGear provide the ability to extend compliance with company policies and processes beyond their organizational boundary.
We have seen how no code workflow solutions can effectively bake-in compliance rules within your organization, which we covered in this post.
The challenge in complying with GDPR is two-fold:
- The speed with which compliance must be established; and
- Ensuring third-party vendors touching your data are also complying.
What your policies and controls for GDPR compliance will be is going to be determined by your own unique circumstances, but the common issue every subject organization is going to face is just how to create visibility into their vendors processes and activities.
The speed with which HighGear can create and deploy compliance workflows can be seen in the following video:
The challenge of managing third-party vendors is more difficult, because they exist beyond the normal control and view of internal managers. However, by extending workflows beyond the corporate boundary into your vendors’ organization, you can stipulate exactly how your data will be processed, control who specifically gets access to data, enhance security, and most important of all, demonstrate that you and your vendor have complied with GDPR provisions.
One of our customers, a major oil and gas pipeline operator, uses HighGear to manage all of its pipeline commitments, including managing hundreds of third-party vendors responsible for performing the work they have agreed to perform in exchange for being given approval to run a pipeline. HighGear manages the schedule of when things must be done, by whom, and then collects the information of work completion in a digital format, e.g. photographs of a painted section of pipeline, and then automatically notifies about work completion and records evidence of compliance.
Another user of our no code workflow platform is cfX, regulated by both the SEC and the Municipal Securities Rulemaking Board (MSRB), which demonstrates how quickly compliance workflows and automation can be created and distributed into a live environment where speed and management of complex compliance workflows in and outside of the organization has been achieved using HighGear.
This is not GDPR, but the principal is the same: external vendors are being effectively managed with clear accountability and visibility into how they perform work on behalf of their principal, including evidencing compliance in terms of scheduling, work quality, information security, and demonstrating end-to-end compliance in an onerous, sophisticated and complex regulatory environment which is frequently changing.
In a heavily-regulated and fast-changing compliance environment spanning multiple jurisdictions and regulatory layers, compliance with commitments is demonstrated at every step, both internally and with external vendors.
Going even further, because HighGear is a digital transformation platform, all information is recorded and stored electronically, which means reporting can now be run off the database automatically.
This means routine reports can be created and automatically distributed in a secure format that only allows access to data based upon the individual recipient’s security classification. Ad hoc reporting is also much faster, allowing almost real-time visibility into compliance workflows and the status of any individual activity down to the most granular level.
A last note: GDPR is onerous and very broad-ranging, however this is not going to be an end-point if the history of EU regulation-making is anything to go by. While GDPR may have taken some time to come to fruition, the EU lawmakers are going to be looking at how it works in practice, and the developments in future technology and data-collecting platforms. What this means in terms of precise rule changes is unclear, but what is 100% certain is that there will be change and your organization must be quickly and effectively able to manage this, and only a no code workflow software solution is going to satisfy these requirements in an efficient, cost-effective, and compliant manner.
GDPR Summary
GDPR is a far-ranging EU regulation mandating compliance by May 25, 2018 for any organization which collects or processes the data of EU residents (not just citizens).
This will include any company operated website visited by EU residents which collects data, including IP address or uses cookie data.
Almost every American organization is going to be caught by these provisions, and the EU has a substantial track record of levying heavy fines against non-EU companies.
If your third-party vendors touching your data are not in compliance with GDPR, then neither are you.
No code workflow software is an ideal solution for creating and managing compliance in heavily-regulated industries, for baking-in compliance and extending organizational visibility and procedures beyond the organizational boundary.
HighGear is a proven workflow platform with a demonstrable track record of providing compliance and visibility into the work conducted by third-party vendors and demonstrating regulatory compliance at scale.