With legal entities operating all over the world, HID Global must remain in compliance with a varied range of laws and regulations. Given the significant EU data privacy regulation changes on the horizon, we sat down with Mark Camero, HID Global's Vice President of Legal and General Counsel, to discuss the company's strategy for coming into compliance with the EU's General Data Protection Regulation (GDPR) in time for the May 25, 2018 deadline.
Tell us about HID Global Corporation.
HID Global’s defining goal is to power the trusted identities of the world’s people, places and things. If you have ever used an access card, key fob, or other non-key device to open a door, it’s likely you’ve used an HID product. Although we are best known for our cards and access readers, we also make software and solutions to access networks using secure digital identities, ID card personalization products such as printers and encoders, government-to-citizen ID cards, and products that help track and identify technologies. We also manage access compliance within physical security infrastructures in public and private buildings such as airports.
We are headquartered in Austin, Texas and have offices throughout the globe, which support operations in approximately 100 different countries. We currently have 2,200 employees working around the world, but we are growing quickly, both organically and via acquisitions.
What is your role at the company, and what element do you most enjoy?
As Vice President of Legal and General Counsel, I’m responsible for HID’s global legal affairs. Much of my time is devoted to setting the strategic vision for the legal department and strategizing how to manage fast growth while staying compliant with internal policies and external laws and regulations. Most recently, this latter effort has focused on preparing for the new General Data Protection Regulation (GDPR).
Let’s talk more about GDPR. Can you give a quick summary of what GDPR is?
The increasing global emphasis on individuals’ rights with respect to personal data is something I’ve seen develop throughout my years practicing law. Many countries have laws related to data protection and privacy, but GDPR, which becomes effective on May 25, 2018, provides a particularly robust data protection framework. One big challenge posed by the GDPR for global companies like HID is that the regulation applies not only to enterprises located in the EU, but also to enterprises located outside of the EU that market goods or services to individuals inside the EU. We have customers and employees worldwide, so the GDPR will immediately and critically impact how we collect, store, share, and keep safe the personal information of our customers and employees.
For us, these regulations are resulting in an overall cultural change. There’s a concept in the GDPR known as “privacy by design,” and we’re embedding that philosophy into new processes, new services, and new solutions. What this concept means is as you are designing new products and services, you no longer can afford to just ignore data privacy protection. It now needs to be part and parcel of the creative and implementation process. So as a company like HID, where we are responsible for the identities related to solutions for trusted identity services, we are thinking about data privacy in everything we do now – from an engineering, marketing, and branding perspective.
When did you all first sit down to map out how GDPR would impact and interact with business operations?
Discussions began in 2016, but the hard kickoff was in January 2017 – giving us approximately 18 months of preparation time. Initially, we started with a steering committee, chaired by our Chief Financial Officer, which included the Vice President of Information Technology, Human Resources, and me. We later expanded the team to include a representative from each essential function within the company. It was this expanded team that allowed us to dig deep into the data we have to think about, where it is, and how it is affected by the new regulations. We’ve also worked with external resources, including outside law firms and IT companies with experience mapping data flows throughout large organizations.
From a focus and resources perspective, this data mapping question has been the heaviest lift – figuring out what data we have, where it is, whose it is, what it is being used for, which departments and organizations are using it, who touches it and how, where it’s going, and where it’s coming from.
Once you got a sense of the data mapping and brought all of those people into the room, how did you ultimately devise a plan for implementation, and what does that plan look like?
It’s a phased approach with the ultimate goal of compliance on May 25, 2018. Phase one is data mapping. We put together a questionnaire for the core team members in the functional areas and asked them, essentially, where they keep their data and what data they typically collect from customers and employees. Phase two is understanding what is required of GDPR. Phase three integrates the work from the previous phases: we think about the data flows that we’ve identified and figure out how we can isolate them in a secure server, using encryption technology or other IT magic. Then we run that alongside the actual requirements of GDPR to make sure they are met. Phase four is the rollout of GDPR-compliant IT as well as corresponding internal policies and procedures for remaining in compliance with GDPR. Then the final stage will be the full implementation of the IT solution in combination with the procedures. This phase may initially be more manual but will take us into compliance. Over time, we will gradually shift from a quasi-automated manual process to a 100% automated process that reduces compliance costs and removes human error from the equation.
Conceptually, our focus throughout all phases is scalability. We can’t produce something that can only be used by one HID company – we have legal entities all over the world, and although GDPR only technically covers the personally identifiable information (PII) of EU citizens, we found it’s very difficult to isolate this data in a global company like ours. Instead of trying to spin our wheels dividing up the universe, we decided to make GDPR compliance part of our global compliance program for all HID entities worldwide.
Are you going to do a phased rollout on an entity-by-entity basis, or will everything get done at once?
We’re certainly going to begin implementation with EU-based entities first because the risks are clearest there, but we’ll then turn to implementation in our non-EU entities. Again, the whole process is designed to be scalable and replicable. If it’s something we can’t replicate for entities in other geographical regions, then we’re doing something wrong.
Can you give me an example of a procedure that will initially be manual and eventually automated?
The right to remove data is a great example. Although it will be built into some of our applications, for others, it will be a manual process for a while. So a customer sends us an email saying they want to be removed from our database, and we’ll have a procedure in place whereby that file will need to be deleted by an actual employee, who must use appropriate deletion procedures and manually ensure that all instances – both electronic and paper – of that data have been destroyed. Later, everything will be on a secured server whereby that employee could enter the person’s name, and the technology will locate all instances of that person’s data and delete them accordingly, instead of having to manually go through and identify where the file is and delete all instances by hand.
What elements of compliance have been the most difficult to address?
As a trusted identity company with operations all over the world, we collect and store a tremendously high volume of data – much of it PII – and some of it through web applications and cloud-based services. Accordingly, data mapping has been the biggest GDPR-related compliance challenge for us. Once that process is complete, the implementation processes will proceed more easily.
Have there been any situations in which you realized you had to make a change in the way data flows in order to comply?
Absolutely. Here’s an example of a big change. Although we have our global headquarters here in the U.S., we have employees all over the world. Previously, HR used a variety of approaches for sharing information across global locations. But in order to comply with GDPR, someone in HR can’t just email a document to a counterpart or create a DropBox link and share it. When transferring employee data, HR will need to access a lockdown server in the EU and then send the person in America an access-only – i.e., no printing, no saving, no editing, etc. – link to that server. Further, such link sharing will need to be restricted to individuals who need to know that data.
In addition to building the tech, I imagine there is a lot of work that goes into training individuals globally, too.
Training is a critical component to GDPR. It will be a required training for all existing employees on what GDPR means for the company and their specific roles. The program will need to include an initial retraining as well as periodic follow-up trainings to ensure compliance and continuing knowledge and understanding. We’ll also develop a separate training for new hires.
Will you bring in outside GDPR consultants to run trainings or handle them internally?
We’ll probably manage it internally because we’re going to have our own unique processes in place. We might work with outside experts to develop the generic materials, but as far as the HID processes and procedures, we’ll need to do all of that in-house.
Have you made any mistakes in terms of planning or implementation, and what lessons have you learned along the way?
I wouldn’t say this was a mistake, but when we started the steering committee, we thought we had a pretty good handle on the process. Once we opened it up to the core team though – about 12 individuals – we realized implementing GDPR is a full-time job. So we hired a program manager just for our GDPR internal development process (not to be confused with our data privacy manager, which is a role required by GDPR). We found someone with an IT and data security background to run and manage the program. There are a lot of moving pieces, and we were quickly getting lost trying to keep up with who was doing what and who was responsible for what, so this person keeps us on task and probably would have been useful several months earlier than we made the hire. If anyone is starting the process today, getting a program manager in place should be priority number one. The more general lesson is to treat GDPR compliance like any large-scale, company-wide project because, if you are doing business in the EU it touches every possible aspect of the company: everything from sales, to technology, to human resources, to accounts payable.
Are there any other practical steps you would recommend to companies that haven’t started this process?
The best time to start GDPR work was 20 weeks ago, so if you haven’t started, start immediately and get the program manager in place as quickly as possible.
Second, for companies just starting the process, expect to be surprised by how much everyone touches PII. Even just the process of hiring someone – receiving a resume, saving the resume to your desktop, printing it – that’s handling PII. Understanding and getting a foothold on where your company’s PII lives and how it flows is the predicate to achieving compliance, so make sure to allocate sufficient time and resources to this stage of the process.
If you had to estimate, how many months do you think this process is going to take you from start to finish?
All-in, to get to a place where we are totally compliant will take us about 16 months. After that, we will focus on making the next generation better, more efficient, faster, and more scalable with automation. That’s the work we’re going to do after the fact, but come May 25, 2018, we’re going to be compliant, and at that point, we’ll have been working on it for 16 months.
Wow, that is quite a project.
Yes, but again, you have to look at your organization. If you are primarily based in the U.S., and you have minimal EU interaction, you’re still going to have to comply with the data privacy requirements on the controller, but the amount of data you’re touching isn’t going to be as great, so the mapping will be a bit easier, and you can probably get on top of the compliance more quickly. However, if you’re a massive global IT company, you’re involved in any kind of infrastructure, or you’re dealing with significant quantities of PII, my best advice is get going now if you haven’t started yet.
Do you anticipate GDPR implementation will conflict with other local data privacy regulations in other jurisdictions?
GDPR is the most rigorous standard right now so this hasn’t yet been an issue – although the new China cybersecurity laws that come into effect on June 1 are also extremely protective. Latin American countries are looking to establish something similar, but right now GDPR is the standard for data privacy.