How to comply with the General Data Protection Regulation (GDPR).
In the last decade, Europe has embarked on steadily pushing changes in the area of privacy and data protection. And now, the European Union (EU) is making a groundbreaking shift again with the passage of the new General Data Protection Regulation (GDPR) privacy law.
By now, almost every organization around the world has the GDPR in their sight. If your company collects, stores, or uses personal information about European citizens, then the GDPR applies to your company. Learn more about what EU GDPR is, whether your company is impacted by it and what are the penalties for not complying, in the article: What is EU GDPR - in a nutshell!
The deadline for compliance is May 25, 2018
Prepare for GDPR compliance
Meeting GDPR requirements can be challenging. For most companies, the new regulation means highly increasing current privacy practices and implementing appropriate policies and security protocols. Despite the complexity of the new laws, complying with the GDPR can be accomplished by following these steps outlined below.
1. Assess your current data storage process - where is personal data stored and how is it used
The first step towards GDPR compliance is to analyze your existing privacy and security efforts. It is very important to identify all personal data that you currently have and where it is stored. You will most likely find that you have dozens of different databases and systems that store personal information. This information can come from visitors who fill out forms on your websites, participate in referral and loyalty programs, customers that have bought from you, leads that have contacted you via email or phone, and more.
You can do it in the form of a data inventory analysis or data mapping. The data inventory can show you:
- What information is collected?
- Where is it stored?
- Where did it come from?
- What is it used for?
- Who has access to it?
- How is it protected?
- Do you ever share it with third parties? On what basis might you do so?
- How long do you keep it?
A Data Inventory reflects how your business works. Start with how you process data and list the activities and their purpose. From the analysis, your business can identify risk points to data privacy and enforce privacy rules. Determine what actions your organization needs to take to ensure that these weak links are properly protected from now on. According to GDPR it is mandatory that you can prove that you know where personal data is stored and have traceable permission to collect and use it.
What information to document in the Data Inventory?
There is no standard template for recording data processing, but the minimum requirements include:
- Name and Contact details of Data Controller, and the data protection officer (DPO)
- Purpose of Processing - a list with some standard purposes such as Customer management, Security, Personnel management, HR, Business intelligence, etc.
- Data and Data Subjects Used - a description of the categories about the data being processed and the data subjects whose data is being processed, such as: sensitive category of data processing, data subject category, classification level, retention period, original source.
- Functional Data Categories - sample categories: personally identifiable information (PII), special financial data, personal characteristics, psychological details and private habits.
- List of Recipient Categories - categories of recipients to whom the personal data have been or will be disclosed. Sample categories: public services, courts and law enforcement, banks and insurance companies, employer or business relations of the data subject, other.
- Retention Period - where possible provide time limits for the processed data.
- Third Country/International Organization - where applicable, indicate transfers of personal data to a third country or an international organization.
- Technology - where possible, add a general description of the technologies, applications, and software used in the processing activities.
Under Article 30, you are required to maintain an internal record on all personal data and associated information your organization collects. You are also required to make it available to the related authorities upon request. It is better to collect more, rather than less information, to help you to comply not only with Article 30, but also with the other GDPR requirements.
2. Establish Controls and Processes
Once your organization has a better understanding of the stored data, you can then conduct a full risk assessment. This assessment should be carefully carried out, as it will determine what you need to do in order to comply with the GDPR obligations. It will help you uncover all of the risks and help your team create a roadmap of necessary operational and technological changes. You will need to establish appropriate security controls and processes to protect personal data from loss or unauthorized access or disclosure.
Steps for implementing security measures for compliance with the GDPR
- Determine which are the applicable GDPR requirements for your company
- Appoint data protection officer (DPO) or data protection role (if no formal DPO needed)
- Determine if you collect and process sensitive data
- Define your GDPR program
- Conduct a full risk assessment
- Implement procedures to meet new data subject rights
- Adopt a privacy-by-design approach
- Conduct a data protection impact assessment (DPIA) if required
- Create Data Processing Agreement
- Adjust contracts, notices and policies to meet the new requirements
- Evaluate and invest in technologies to achieve compliance with the GDPR’s security expectations
- Deploy a firm access governance solution - Governance generally requires periodic review of your team access rights
- Control the access of employees and contractors
- Make sure your software provider has strong firewalls, so your solution is not threatened to exposure of cyber threats and risk of data leaks
- Determine if your software deploys encryption methods - GDPR specifically calls out encryption as a security requirement.
Meeting GDPR requirements is not possible without good security. You must take all necessary technical and administrative measures to keep personal data safe. Although there are no specific security standards or certifications, you should carefully review your company's security protection and apply necessary changes in order to meet GDPR requirements.
According to GDPR organizations must:
- Only process data for authorized purposes
- Ensure data accuracy and integrity
- Minimize the exposure of subject identities
- Implement data security measures
INDIVIDUAL RIGHTS MANAGEMENT
Even after data is collected, individuals still have a claim and control over that data. Your customers have the following protections for individual rights: access, rectification, restriction, portability and deletion. You must implement processes and technologies that can accommodate requests pertaining to these rights.
REPORT DATA BREACHES
The GDPR requires organizations to notify customers and supervisory authority if there is a security breach that threats the rights and privacy of a data subject. The report must be done within 72 hours of first having become aware of the breach. These obligations are outlined in Articles 33 and 34 and organizations must:
- Notify authorities within 72 hours
- Describe the consequences of the breach
- Communicate the breach directly to all affected data subjects
You need to be more transparent not only about how you handle personal data, but also to demonstrate ongoing compliance. You can do this by regularly reviewing assessments or audits of the privacy program and keeping records that can be used for both internal and external reporting. Make sure you can prove to clients and regulators how your company complies with each GDPR requirement.
The GDPR deadline is approaching. Are you ready?