The short answer is that it won’t look much different from right now! That’s why I am perplexed by the freakouts and meltdowns many are having over the European Union’s (EU) General Data Protection Regulation (GDPR) May 25 deadline.
While this is an important date for all of us to mark on the calendar in order to observe what will happen over the next few months in terms of enforcements and fines, let’s not forget that GDPR has been law for two years now! It does not go into effect on May 25, it already is. These two years we have just lived through have been a grace period for enforcement. All of these activities are items we should have been doing all along. For those who still are not there, today is not some doomsday in which you can no longer build your privacy programs and continue to improve and expand on what you already have in place.
How has Sumo Logic Prepared for GDPR?
Over the course of the past few months, we’ve been receiving questions from our customers on how we’ve been preparing the Sumo Logic platform to comply with GDPR law, as well as what we are doing to help our ecosystem (customers and partners) ensure they are GDPR compliant.
We already had built in security by design so progressing to privacy by design was a natural addition. We have been mapping all our data flows and conducting privacy impact assessments (PIAs) as well as data protection impact assessments (DPIAs) when needed.
Data Subject Access Request (DSAR) Portal
My technical counterpart has worked hard to create a Data Subject Access Request (DSAR) Portal for data subjects to use when they are seeking to exercise their rights. We have also developed a Privacy Insight dashboard that allows customers to search their logs for personally identifiable information (PII) and special category data. This dashboard is currently on the roadmap, available to select customers as part of a beta program, with plans to make it publicly available later this year.
We have also engaged with a third party auditor to have an assessment conducted against our environment and the requirements of GDPR. The outcome of this assessment will be a report we are able to share with customers.
We have received many last minute data processing addendums (DPAs) in the last couple of weeks. Luckily we have been preparing for this deadline. We have our own DPA on our self service portal and this has helped to streamline our response to customer needs greatly. I do not think the stream of requests for DPAs will evaporate on May 25 as this is now a part of doing business at a global level.
What are the Biggest Changes Ahead?
The biggest changes coming as of May 25 are the following: the wave of data subject access requests (DSARs or SARs) and watching court rulings which will result in a few likely outcomes, most notably, fines and clarifications around the regulation (something many will welcome).
The handling of the DSARs/SARs will be a new process for most of us, Sumo Logic included, and will be a “build the plane as you fly it” learning and modification exercise. Most of us will have several avenues of data streams that data subjects may be seeking to exercise their rights against. Our main business flows include marketing, sales and of course, our current and former employees residing in the EU.
One of the biggest points to remember when processing these requests is that the data subject rights are not absolute. If your organization has a business reason to keep this data, you have the right to reject the request. Of course, you must give reasoning and prove that you need the data. Your basis may be PCI DSS requirements, health care or financial retention, forensics and so on. You cannot deny a request because it sounds like too much hassle. GDPR article 12 states that in some circumstances, an organization may charge a reasonable fee. (Please consult article 12 and legal counsel instead of quoting me).
What Can we Look Forward to?
This is subjective on some level, however, I for one, am looking forward to the rulings. No, I do not plan to make up some popcorn and watch like some big drama, but I am looking forward to the clarifications that we all have been hoping will happen in post “May 25 land.” I do not think we will see any changes over night and I am trying to watch what I do wish for, but I am hopeful that some of my predictions will indeed come true!
This is indeed a new era of data protection and privacy that we are watching unfold. I hope that data subjects, not just in the EU but also worldwide, will start to understand that one of their greatest assets is their data and they must start (and continue) to protect it and seek to understand how and where it is being used.
What Privacy & GDPR Resources are Available to Customers?
- Sumo Logic Self-Service Portal for filling out DPAs, and any other privacy/security related customer concerns, questions or needs
- Dark Reading byline series
- Sumo Logic Privacy & GDPR dashboards
- GDPR Compliance: Low Cost, Zero-Friction Action Items (via Cloud Academy)
- 5 Practical Steps to GDPR Success (via IANS — Paywall)
- Get your GDPR Ducks in a Row (via IANS — Paywall)