The EU's General Data Protection Regulation implementation date is now less than a year away. With organizations around the world pushing to ensure they are GDPR-compliant, a deluge of products and services have been released aimed at helping companies avoid the legislation’s massive financial penalties.
One of those products, which comes with a dash of services, is Gigya’s Privacy by Design Program, which is broken into five steps for companies to incorporate the core tenets of the GDPR into their systems.
The first step is a technical readiness self-assessment, where Gigya goes in and audits a company’s systems to see if they have the specific capabilities to meet the rights of data subjects under the GDPR, including the right to edit, update, erasure, and data portability. The self-assessment step examines the ways companies are recording and managing consent, the types of data a system possesses, and whether the company is supporting a culture of privacy by design.
The program also requires companies to do work before initiating the process to determine where their data is located and any other risk areas. Once the assessment is completed, the program produces a privacy-by-design strategy workshop, where a specific action plan is created for the organization to become GDPR-compliant.
“We are hopefully bringing together digital as well as IT, legal, and security and risk stakeholders to really come together as a project team in terms of how we are going to close and solve some of the gaps identified in the self-assessment, and probably even beyond that,” Gigya Senior Vice President of Marketing Jason Rose said in a phone interview with Privacy Tech.
From the workshop comes the privacy-by-design blueprint, a roadmap to determine the way implementation will proceed. This helps companies identify what systems need to be put in place, the workflows needed to capture consent within digital platforms, how to govern data flows across the system, and what digital properties are needed to give consumers the option to opt-in.
The last two steps involve the actual implementation of the action plan, then a quality assurance review to ensure all of the processes are working properly. The goal is not only to ensure companies are GDPR-compliant, but to instill a privacy culture within an organization.
Rose said the company wants to take a company’s first-party consumer data and use that information alongside its technology to create a better experience for users as they control their data through the registration, account creation, preference management, opt-in, and consent processes. By helping its customers have a solid relationship with their data subjects, Rose said Gigya's tech solution is helping organizations create a culture of transparency, and it was this view on privacy that led to the creation of the Privacy by Design Program.
“The importance of privacy by design is both the education and awareness of people across an organization. If this just sits in the privacy team and doesn’t propagate out across the organization, it by definition cannot be privacy by design,” said Rose.
Rose said the companies with the most to benefit from the platform are the larger enterprise businesses with data spread out over many different systems. Rose said Gigya worked with the legal and privacy teams of their customers to parse out the GDPR and found they were running into similar issues.
“We struggled with some of the same topics that our customers struggle with in that while GDPR was ratified in the spring of last year, some of the more detailed implementation components are still being put in place today," said Rose. “The real test will be once the ICO starts enforcing it.”
Gigya is hoping its program sticks out from the sea of GDPR-related products by its approach. Rose said the program is not bolted on top of or next to other digital processes just to conduct audits, but it’s rather an operational system.
“We actually provide the front end that interacts with the customer, collect the consent, allowing them to manage their preferences, all within a customer’s digital properties,” said Rose “We’ve got some of the biggest CPGs and media companies in the world using the Gigya platform to provide that customer sign up and interaction experience.”
With the GDPR still almost a year away, there is still a lot of time for the Privacy by Design Platform to evolve. Rose said he does not see May 25, 2018, as an end date, but rather a start date. He also said Gigya has learned a lot about interpreting and implementing the tenets of the GDPR from working with its customers over the past 12 months.
“I expect those learning to be continuously incorporated into this methodology and platform over the 12 months and even beyond the May 25, 2018,” said Rose
If you want to comment on this post, you need to login.