General Data Protection Regulation (GDPR) has come into effect on May 25, 2018. It will apply to all companies with operations in the EU region and to companies based anywhere in the world but stores and processes EU citizen data (even if the processing is done outside the EU).
The failure to comply with the GDPR regulation will result in substantial fines – as much as 4% of an enterprise’s worldwide revenue. In case of a breach, the company has to notify EU authorities within 72 hours of a breach.
GDPR classifies organizations as ‘controllers’ or ‘processors’. Controllers determine how and why personal data is processed, while processors act on behalf of the controllers. Processors are required to maintain records of personal data and processing activities and will have more legal liability in the case of a breach. Here, Controllers have an obligation to ensure the contracts with processors comply with GDPR.
The key areas of the legislation are privacy rights, data security, control, and governance. For both processors and controllers, the legislation details how these areas should be managed by requiring documented inventories of personal data, workflows, policies for updating or retiring data stores, processes to support the right to erasure and more.
- Privacy rights: This includes – the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and rights relating to automated decision-making and profiling. In addition, the legislation introduces rights to protect children’s privacy.
- Data security and control: These requirements are detailed in Article 5 of the GDPR legislation. The Article 5 essentially states: data can only be processed for the reasons it was collected, must be accurate and kept up-to-date, and if not, it should be erased; must be stored such that a person is identifiable no longer than necessary; and must be processed securely.
- Governance: Organizations are expected to be more accountable and implement comprehensive governance measures that include the creation of a data protection officer. Data Protection Officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
The challenge: The legislation will apply to thousands of organizations that did not worry about the DPD in the past. This requires not just a business or technology shift but a cultural shift and mindset about how the data was stored until now. Data harvesting will not be as simple as it was in the past and cross-department sharing of harvested data will require personal consent.
Obligations under GDPR:
1. Data Control: To preserve the subject’s privacy, organizations must do the following:
- Only process data for authorized purposes
- Ensure data accuracy and integrity
- Minimize subject identities’ exposure
- Implement data security measures
2. Data Security: To preserve the subject’s privacy, organizations must implement the following:
- Safeguard to keep data for additional processing
- Data protection measures
- Security as a contractual requirement, based on risk assessment
- Encryption
3. Right to Erasure: Subject data can’t be kept indefinitely. GDPR requires organizations to completely erase data from all repositories when:
- Data subjects revoke their consent
- A partner organization requests data deletion
- A service or agreement comes to an end
4. Risk Mitigation and Due Diligence: Organizations must assess the risks to privacy and security and demonstrate that they’re mitigating the risks. Organizations must:
- Conduct a full risk assessment
- Implement measures to ensure and demonstrate compliance
- Proactively help third-party customers and partners to comply
- Prove full data control
5. Breach notification: In case of a security breach, organizations must:
- Notify authorities within 72 hours
- Describe the consequences of the breach
- Communicate the breach directly to all affected subjects
Initial steps for a Project Plan
The first step to an effective project plan is to understand the data you have, who can access the data, is it shared and if yes – why it is shared, and what applications process data.
To spearhead the project, the following activities are required for effective implementation:
1. Stakeholder support (Board and business units)
- Identify senior stakeholders who can support GDPR implementation in each business unit/operation
- Senior management must understand and champion GDPR requirements and the impact of non-compliance
- Adequate resources such as budget and workforce need to be allocated
- Responsibility of GDPR is required to be with the C-suite and executive management
2. Information Audit of the retained data
- Perform an information audit (a dataflow and data inventory analysis) across the organization and confirm the retained data is per the consent of the subjects
3. Privacy notice and information
- Understand the current privacy notice and make any necessary changes
4. Assess current procedures
- Check the procedures to ensure they cover all the rights individuals have, including how you would delete personal data
5. Procedures to handle Subject Access Requests (SAR)
- Update procedures, plan and document how requests will be handled within the new timescales and provide any additional information
6. Implement Data Protection Impact Assessments (DPIA)
- Identify how to implement DPIA in the organization
- Assess the situations where it will be necessary to conduct a DPIA
i. Who will perform DPIA?
ii. Who needs to be involved?
iii. Will the process be run centrally or locally?
7. Consent of subjects
- Review the process to seek, obtain and record consent and whether changes are needed
- Identify ways to ask for additional consent or verify an individual’s age
8. Personal data breaches
- Develop and implement the right procedures in place to detect, report and investigate a personal data breach
- Confirm the current business continuity and incident response plans are updated and current
9. Secure data processing and data protection by design
- Confirm the implementation of right procedures and tools in place to comply with both security and privacy by design requirements. Complying with ISO 27001 standard is a good place to start.
10. Data Protection Governance
- Designate a data protection officer to take responsibility for data protection compliance
11. International Data Transfers
- Identify where the data is stored and processed and determine the applicable parent supervisory data protection regulation