General Data Protection Regulation D-Day is looming, and many companies are finding themselves in a state of panic. We know that companies must be compliant by May 25, 2018, but how exactly do we get there! There is confusion as to where to begin, and panic with regards to the amount of tasks that must be tackled before the deadline is reached. Yes, it can feel overwhelming, but heeding a few steps can give that push in the right direction, and make the journey to GDPR compliance a little more manageable.
GDPR is prioritizing data protection for businesses
It’s in the news, in the papers and in our boardrooms. It is very topical conversation presently and for good reason, too. Everyone needs to be GDPR compliant and as of yesterday.
Understanding a few core aspects of the regulation can help you develop an understanding of the GDPR and the importance of GDPR compliance. They are:
- Ramifications of non-compliance are severe (hence the panic!).
- The bearing extends beyond the EU. Every interaction with an EU citizen requires compliance (running a business that is located outside of the EU does not give you a “get-out-of-jail-free card”!).
- An in-depth knowledge of the data we manage and process and the flow of data is imperative.
- We can no longer get away with going about processing in an ad hoc manner. We must have control over our data and processes and be able to prove that this is the case at all times.
- The requirement for a data protection officer (DPO). Do you need one?
- Understand your data, understand your processes, and make sure everything you do is done intentionally and for good reason. (If unnecessary —get rid of it! Alternatively, an overhaul may be necessary.)
- The data subject (and their rights) is at the root of it all!
Before taking any drastic measures like removing functional systems due to them not being compliant (for example), consider your set up and reevaluate measures to securely process personal data. It is important to keep in mind that the GDPR is not only about securing data but about securing processes, too.
Albeit complex, the drive to GDPR compliance can also be seen as a chance to prioritize data security and reinforce control over data governance and management. So, what is it that we need to do?
Step one: The data discovery audit
A comprehensive data discovery audit is always a good place to start (also a good step to end on — in other words, revise and then repeat). It is a means to evaluate your data, systems, and processes. It is a means to discover gaps, to be able to then put things right. Entire systems must be audited, including the data models inside each system.
Step two: Classify the data
The aim of the initial audit should be to uncover the following:
- The type of data processed
All data sources must be accessed (no matter the systems used), all data sources must be located (to be audited) so that all personal data can be extracted, categorized, and classified. All personal data no matter if structured, unstructured, in rest, or in motion must be audited so that it can be dealt with correctly. The vast volumes of data require that the process for cataloguing the data be automated rather than manual to help meet the compliance requirements in time. A personal data inventory should be compiled.
- The location of the data
It is imperative that you know exactly where the data is at any giving time. Not only is this important for building a portfolio to evaluate and manage security risk of the personal data that you process, but also to comply with the GDPR. The organization must be able to prove the location of the data that they hold.
- The purpose for processing and/or storing the data and know what the data is used for
You must know the reasons for processing the data and have explicit consent to do so.
- Data access and how access to data is controlled
To be compliant, all lines of business must understand the rules. Privacy policies and rules must be documented and shared with everyone in the company. Access to personal data must be properly governed. Personal data should only be accessible to those with the appropriate rights, recognized in the roles and definitions laid out in the governance model. By achieving this, the required level of control can be reached.
Step three: Understand your role
You have a broad understanding of your business, the data you process, and the systems that you use. It should be easier to determine your role under the regulation. If you are determining how personal data is being processed and deciding why it is being processed, then you are in control of that data and this makes you the “data controller.”
Step four: The data protection officer
Many organizations will need to appoint a DPO. You must determine if you fall within this category. A knowledgeable DPO (with a technical and legal background) is beneficial to the organization as they will be able to offer guidance with respect to the regulation, legal obligations, and business application.
Step five: Protecting personal data
Once the data has been classified, you should have a comprehensive understanding of the type of data that you process and, hence, how the data needs to be protected. Consider how you are securing personal data currently (if at all) and make any necessary changes or put the necessary procedures in place.
Protecting the privacy of personal data should be prioritized. It may be necessary to complete a Privacy Impact Assessment (PIA) of policies to evaluate the data life cycles and the potential impact on the privacy of the individual.
Emphasis should be placed on GDPR-specific requirements such as ensuring data portability, the right to be informed, the right to be forgotten, and the correct manner in which to destroy data. The necessary procedures and controls should be in place to support the rights of the data subject.
Practices to secure data are needed for personal data in all forms and locations, including on premises and in the cloud, backed up data, archived data, and data being created. The security of entire data lifecycles must be addressed.
To protect personal data that you are responsible for: encryption, anonymization, and pseudonymization can be utilized. The method you use depends on the user’s rights and usage. Keep only what you need and get rid of all unnecessary personal data — it’s simple, if you don’t have it, there is no need to protect it!
Step six: Prove accountability
It is important that you are able to demonstrate accountability for all your data-processing activities. Transparency should also be shown with regard to processing of personal data. This is required for current activities as well as future processing. Data subject consent needs to be explicit and documented.
Keep a record of the developments and procedures being taken to move your business toward compliance. By keeping a record of what the business is doing to achieve compliance helps to show business accountability. It is important to show that you are doing what is required even if it is in the early stages. It is essential to show that effort is being made and that the compliance process has commenced.
Step seven: A repeat audit
After identifying and putting necessary controls in place, a repeat audit should be undertaken. Through doing this you will be able to produce reports to prove that you have taken the necessary measures to comply. You should now be able to prove that you are aware of what personal data you hold, how it is used, why it is used, who can access it, and where it is located across your business environment. You should be able to prove that you can properly govern and protect your data and processes, thus ensuring the privacy of the data subjects personal data at all times.
Remediation and updating may also be required if further gaps or discrepancies are found.
You need the GDPR and the GDPR needs you!
Everyone processing personal data of EU citizens — no matter where the company is headquartered — needs to be GDPR compliant. Time is quickly running out! It’s imperative to now focus on the work that’s necessary to tackle compliance efficiently and effectively. It is suggested that on May 25, 2018, half of businesses will not yet be fully compliant, despite all the attention around the regulation currently. Security must be central to all things data related (ideas, processes, and applications) for businesses from now onwards. Those businesses that don’t have the right procedures in place, or fail to at least prove that they have made some effort, will face a tough time come May next year.