Following a manageable path to GDPR compliance

November 9, 2017

    Following a manageable path to GDPR compliance

    It’s in the news and in our boardrooms. Everyone needs to be compliant and as of yesterday. The impending GDPR D-Day is not far off, 25th May 2018, and this is causing panic for many. There is confusion as to where to start, and panic with regards to the numerous tasks that must be tackled before the deadline is reached. It may feel overwhelming at times but gaining a better understanding of the fundamental aspects of the regulation and observing a few steps can make the journey to GDPR compliance a little more manageable.

    By understanding a few central aspects of the regulation, a more in-depth awareness can be developed and the importance of the regulation appreciated.

    Central aspects of the regulation

    • The implications of non-compliance

    The severity of the impacts of non-compliance are immense. Fines are heavier than ever and likely the cause for much of the panic.

    • The regulation extends globally

    Every interaction with an EU citizen requires compliance (running a business that is located outside of the EU does not give you a “get-out-of-jail-free card”!).

    • Knowledge of the data you manage and process

    It’s imperative that we know exactly what data we hold and process and know exactly where it is at all times.

    • An ad hoc manner for processing data is not acceptable

    We must have complete control of our data and data processing as well as control over the security of our data. Moreover, we must be able to prove that this is always the case. Everything we do must be done with intention and with good reason.

    • Understanding the requirement for a Data Protection Officer

    Do we or do we not need one? Not all businesses are required to have one but due to uncertainty in this area having a DPO may prove beneficial for most.

    • GDPR is about securing data as well as processes

    Processes may need to be re-evaluated to ensure personal data is being securely processed at all times and measures put in place to achieve this.

    • The rights of the data subject (not those of the company!) are at the root of it all

    The regulation aims to protect the rights of the individual. The data subjects data must be protected. The security and privacy of the data must be maintained always. 

    7 steps to assist with achieving GDPR compliance

    Step 1: Audit Process

    A comprehensive data discovery audit is always good to start with. It is always important to revise and then repeat this process. The audit is a procedure to evaluate the data, systems, and processes. By doing this you can quickly discover any gaps that need resolving. Thorough evaluation is vital. Ensure to include entire systems and all data models within them too.

     Step 2: Data classification

    The initial data discovery audit should uncover the following:

    • The type of data processed 

    All data sources must be located and accessed so that all personal data can be extracted, categorised, and classified. All personal data no matter if structured, unstructured, in rest, or in motion must be audited so that it can be dealt with appropriately. It’s useful to use an automated process to catalogue the data, especially when data volumes are large. This can help to meet the compliance requirements in time. A personal data inventory should be compiled.

    • The location of the data

    It is crucial that you know exactly where the data is at any giving time. Not only is this essential for compiling a portfolio to evaluate and manage security risk of the personal data that you process, but also to comply with the regulation. The organisation must be able to prove the location of the data that they hold at any given moment in time.

    • The purpose for processing and/or storing the data and clarity on what the data is used for

    You must know the reasons for processing the data and have explicit consent to do so. If you don’t need it, don’t collect or keep it!

    • Data access and controlling access to data

    To be compliant, all lines of the business must understand the rules. Privacy policies and rules must be documented and shared with everyone in the organisation. Access to personal data must be properly governed. Personal data should only be accessible to those with the appropriate rights, recognised in the roles and definitions laid out in the governance model. This way the required level of control can be reached.

    Step 3: Understanding your role

    If you have a broader understanding of your business, the data you process, and the systems that you use it should be easier to determine your role under the regulation. You are the data controller if you are determining how personal data is being processed and deciding the reasons for processing the data.

    Step 4: The data protection officer

    Many organisations will need to appoint a DPO. You must determine if you fall within this category. A knowledgeable DPO (with a technical and legal background) is beneficial to the organisation as they will be able to offer guidance with respect to the regulation, legal obligations, and business application.

    Step 5: Protect personal data

    Once the data has been classified, you should have a comprehensive understanding of the type of data that you process and, hence, how the data needs to be protected. Consider how you are securing personal data currently (if at all) and make any necessary changes or put the necessary procedures in place.

    Protecting the privacy of personal data should be prioritised. It may be necessary to complete a Privacy Impact Assessment (PIA) of policies to evaluate the data lifecycles and the potential impact on the privacy of the individual.

    Emphasis should be placed on GDPR-specific requirements such as ensuring data portability, the right to be informed, the right to be forgotten, and the correct manner in which to destroy data. The necessary procedures and controls must be in place to support the rights of the data subject.

    Part of the GDPR requirements is that organisations must safeguard the data within their environments. All forms of personal data, in all locations must be secured and securely processed. This includes on location and in the cloud, backed up data, archived data, and data being created. The entire lifecycle of the data must be addressed. To do this effectively, a robust encryption solution that covers multiple business activities is needed.

    Fortunately, mature technologies are accessible. Choosing not to use encryption to combat the risk of a data breach is unjustifiable. Firewalls and antivirus are useful but do not offer broad protection and to be completely compliant with GDPR further data protection in the form of an encryption strategy is necessary.

    Many organisations still fail to realise that encryption is an essential part of protecting business and customer data, notwithstanding the risks of processing sensitive and personal data within their numerous systems.

    Step 6: Prove accountability

    You must be able to demonstrate accountability for all your data-processing activities. Transparency should also be shown with regard to processing of personal data (for current activities as well as future processing). Data subject consent needs to be current, explicit and documented.

    To further prove business accountability, keep a record of the developments and procedures that the business is taking to move towards compliance. It is important to demonstrate that you are doing what is required although it may be in the early stages. Demonstrate that effort is being made and that the compliance process has commenced.

     Step 7: A repeat audit

    A repeat audit should follow after identifying and implementing the necessary controls.  This will enable you to produce reports to prove that you have taken the necessary measures to comply. Ultimately, you should be able to prove that you are aware of what personal data you hold, how it is used, why it is used, who can access it, and where it is located across your business environment. Furthermore, you can demonstrate that you can properly govern and protect your data and processes and ensure the privacy of the data subjects personal data at all times. Remediation and updating may also be required if further gaps or discrepancies are found.

    GDPR compliance is highlighting the need for a data protection overhaul

    Everyone processing personal data of EU citizens must be GDPR compliant. It is suggested that on May 25, 2018, half of businesses will not yet be fully compliant, despite all the focus around the regulation currently. Security must be central to all things data related (ideas, processes, and applications).

    Most organisations are usually averse to change and have also become complacent about managing their data and the security of their data. They are making themselves easy targets and it does not need to be that way.

    There is no excuse for not properly securing your data. The process does not need to be complicated and time-consuming and does not need to negatively impact your business function. Mature, robust, flexible and seamless solutions do exist and all misconceptions or excuses for not utilising encryption are just that…misconceptions and excuses. Solutions exist that fit seamlessly into any existing business environment and allow businesses to continue as usual with no negative impact to business function at all.

    We don’t see, read and hear reports on hackers stealing encrypted data but rather that of breaches of sensitive data that organisations have failed to protect. Encryption should be regarded as an important component of cybersecurity strategies of organisations.

    Organisations that don’t exercise the right precautions, or fail to at least prove that they have made some effort, can expect to face a tough time come May next year.