On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect. Global companies who operate in the European Union (EU) must learn and understand the ramifications of the new regulations now in place. GDPR is a big law and it can be confusing, and outright intimidating. There have already been reports of companies “going dark” or putting operations in the EU on hold as they scramble to shore up their GDPR process and procedures on the back end and avoid incurring substantial penalties.
For manufacturers, personal data privacy issues associated with GDPR may not be keeping the C-Suite up at night. After all, a manufacturer’s ERP system doesn’t usually focus on personal data. However, this does not mean there is no personal data stored in the customer cloud environments. This data can include access data (usernames, tracking of modifications to the database) and contact information (names and addresses of our customer’s customers and suppliers). While every company is different, there are best practices that can help them deal with evolving regulations as they occur.
Key considerations include:
- ERP cloud solutions usually do not check what data a customer stores in their cloud environment and does not access the data unless required to deal with, for instance, a support issue
- Clearly state in contracts that the ERP supplier will only use customer data to provide services to the customer. Clarity will ensure that the ERP supplier complies with applicable data protection regulations.
- Utilize robust frameworks: Service Management Systems (SMS) and Information Security Management Systems (ISMS) that are geared around data protection and cybersecurity. These systems are validated by various certifications, including ISO 27001, ISO 20000, CSA STAR, SSAE18 SOC reports, Privacy Shield Framework. Achieving these certifications prove that a company has taken the security requirements under the GDPR seriously.
- Make sure to have data centers located in the EU to alleviate the need to store EU-related data elsewhere.
- Realize that maintenance of the cloud applications is separate from the database containing the data, i.e., there is no need to access personal data when updating the cloud applications (single tenant deployments, segregated environments).
Four Key GDPR Maintenance Areas to Address
No. 1 - Establish a dedicated regulatory compliance function
Establish a process for collecting information on existing and anticipated laws and regulations. Such information is available from a variety of sources including from the regulatory agencies themselves, free newsletters and commercial providers. Once the Compliance team has reviewed and analyzed changes to the legislation for applicability and impact, it communicates its findings to all the relevant parties within the company including the quality unit, functional departments, regional teams (e.g., for good distribution practices), and regulatory affairs. Process owners in these various departments then implement the changes to comply with the new requirements. The quality unit needs to verify timely compliance through internal audits throughout the process.
No. 2 - Put the right communication channels in place
Depending on what they do, a company qualifies as either a controller or a processor in regards to data. When a company processes personal data in the context of its corporate functions (HR, finance, sales, etc.) the company qualifies as a controller. When a company processes personal data in the context of services engagements with customers, amongst which the provision of cloud services, the company qualifies as a processor. The distinction between the two is important for GDPR compliance communications channels. If a person wishes to revoke consent for his or her personal data, they will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller would then request the data processor to remove the revoked data from their servers.
When regulation is applicable, a company must determine if current security measures and controls are sufficient or if new, measures or controls need to be implemented. This is called risk management. Performing ongoing risk management is needed because, in the case of data protection, regulations and best practices around data protection, like GDPR, take into consideration and apply to the type of personal data and the risks associated with processing those data. Technical and organizational measures should be implemented that ensure a level of security that is appropriate to the risk.
No. 3. - Build a security ISMS framework accredited by outside firms focused on data security, cybersecurity and privacy
In general, compliance requirements are low for systems containing contact data. Systems containing HR data must meet more stringent requirements and for systems containing special categories of data even higher requirements apply. Please note that the required measures evolve with the state of the art; what is adequate today may not be adequate tomorrow.
The GDPR states that adherence to approved codes of conduct or approved certification mechanisms can be used to demonstrate compliance. While no specific codes of conduct or certification mechanisms have been named, establishing robust compliance frameworks within the organization governance under ISO 27001, CSA STAR and ISO 20000 will help satisfy many data protection needs.
No. 4 - Work with Customers to Ensure Compliance is Top of Mind
Make sure to build communication channels and protocol to help customers stay compliant with changing regulations, and, if necessary, to notify them of data breaches and other issues that need their attention. Some companies implement dedicated Information Security Incident management procedures with special, agreed-to protocols for managing customer communication.
Encrypting a cloud customer database at rest and making it inaccessible to those who maintain the cloud applications that operate on the database may further help to put customer’s minds at rest. Be vigilant around access controls and focus on solutions where access to personal data is further restricted, such as Privileged Access Management Systems (PAM).
Last but not least, customer-facing services agreements need to contain clauses on personal data processing and address all major areas of compliance. Work with customers if customers have additional requirements, such as a for the adoption of a separate data processing agreement,
To conclude, establish a dedicated regulatory compliance function, put the right communication channels in place, build a security ISMS framework accredited by outside firms focused around data security, cybersecurity and privacy and build a communications framework with customers. Doing so will help you stay current with applicable regulations and compliant with new and amended data protection laws.
Rob Janssens is Sr. Manager of Process and Compliance at QAD.