The upcoming EU General Data Protection Regulation (GDPR) will be one of the strictest and most far-reaching data protection regulations ever passed, imposing tight data protection requirements and heavy penalties for non-compliance for any business around the world that collects or processes EU resident data. The goal of the GDPR is to harmonise data privacy laws across Europe, protect and empower all EU citizens’ data privacy, and reshape the way organisations approach data privacy.
The GDPR will be the largest overhaul to data privacy regulations that the EU – and much of the world – has experienced in the past 30 years. Its privacy requirements will be extensive and thorough, including the protection of EU citizens and residents’ personal information, such as data related to their health, genetics, biometrics, race, sexual orientation, and political opinions.
With GDPR coming into effect on May 25, 2018, any organisation handling EU residents’ data should be prepared to comply with stricter privacy regulations or be ready to pay up to four per cent of their global annual revenue in fines or €10,000,000. This is a substantial stick carried for non-compliant companies, but the carrot for compliant companies is the increased customer trust and loyalty that can follow when companies demonstrate success in protecting EU citizens and residents’ personal data.
Unfortunately, many organisations can be slow to adopt to new changes like the GDPR and need to accelerate their efforts in order to ensure GDPR compliance before the deadline arrives. A shocking 52 per cent of companies believe they will not be ready for GDPR enforcement and will end up paying fines! In order to avoid this it’s important to prioritise resources, processes, and people to ensure you are not only preparing for GDPR, but are also establishing an ongoing program that will eventually evolve into routine business operations.
Getting started: Appointing GDPR stakeholders
Gaining executive leadership and stakeholder cooperation is the first step in complying with GDPR. Having board level buy-in from the beginning is critical, as is appointing an executive leader; preferably the CEO. GDPR isn’t primarily a security issue nor is it all about IT – it’s a business problem that relies on cross-departmental collaboration from all stakeholders to be successful. Appointing a strong centralised GDPR leader with a core GDPR team across business units is the first step in progressing toward GDPR compliance; however, the core GDPR project team needs to be accountable to the board and executive leadership teams, with direction coming from the top down.
The data protection officer
There are many questions about the role of the data protection officer (DPO). GDPR only requires the appointment of a DPO by companies in limited cases, namely when the company’s core activities consist of the following:
1) Data processing operations which require regular and systematic monitoring of data subjects on a large scale;
2) Processing on a large scale of special categories of data, i.e., sensitive data such as health, religion, race, sexual orientation, etc., and personal data relating to criminal convictions and offenses.
Public authorities are always required to appoint a DPO under GDPR. In general, a DPO will be required if your company processes and manipulates personal data (e.g. banks, healthcare, credit companies), but if the company only has HR data they are not required to have a DPO.
Currently, the International Association of Privacy Professionals (IAPP) estimates that 28,000 DPOs are required in Europe in order to achieve perfect compliance by the May 25, 2018 deadline. The demand to fill the position will certainly increase as we move closer to the GDPR enforcement date.
When the GDPR goes into effect, the DPO becomes a mandatory role under Article 37 for all companies that meet these criteria. DPOs are responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any Supervisory Authorities (SAs) that oversee activities related to data collection or processing.
It’s important to note that DPOs do not need to be members of the organisation. The GDPR does not include a specific list of DPO credentials, but Article 37 does require a data protection officer to have “expert knowledge of data protection law and practices.” The Regulation also specifies that the DPO’s expertise should align with the organisation’s data processing operations and the level of data protection required for the personal data processed by data controllers and data processors. If you’re selecting an external DPO, ensure that they know and understand not only the data but also the business they are working for.
DPOs may be a controller or processor’s staff member and related organisations may utilise the same individual to oversee data protection collectively, as long as it’s possible for all data protection activities to be managed by the same individual and the DPO is easily accessible to the related organisations whenever needed. It is required that the DPO’s information is made public and provided to all regulatory oversight agencies.
It is recommended that organisations start evaluating potential DPO candidates now so they can determine if they meet the requirements while being a valuable addition to the GDPR stakeholder team. Start by looking for candidates within your organisation, as they have the best understanding of your business.
Technology recommendations for GDPR compliance
GDPR is fairly nebulous when prescribing solutions or technologies to achieve compliance; however, this is intentional. The GDPR is designed to accommodate new and emerging technologies, such as cloud-based systems, IoT, machine learning, and social networks. Many of these technologies weren’t available when previous data protection regulations – such as the EU’s Data Protection Directive of 1995 – were established, so the GDPR was designed to be flexible in how organisations can comply with its technology mandates. The downside is that this leaves many companies lacking guidance as to what technologies can help them speed or enable GDPR compliance.
It’s recommended to start with a visibility assessment of what data exists within your environment and what types of personal data – particularly GDPR-regulated data – you are collecting, handling, and storing so you can have a deep understanding of your risk exposure and prioritise further compliance efforts from there.
• Data Discovery and Classification
A visibility study generally starts with data discovery and classification, which are commonly offered as part of data loss prevention (DLP) platforms. It’s important that companies take an approach that scans data in all of its forms and states, including on workstations, servers, websites, and removable storage devices, as well as any data that is being hosted, migrated, and managed in cloud-based environments.
In addition to data discovery and classification, these technologies are recommended for GDPR compliance:
• Access Control, Identity Management, and Privileged User Management
Access control prevents unauthorised processing and access to data (Articles 4 and 5), while identity management is critical for understanding who is accessing the data. Both help to prevent credential abuse or misuse by certain individuals, accounts, or attackers and are important for compliance.
• Encryption and Pseudonymisation
These technologies are specifically requested in Article 32; however, organisations should be careful before deploying encryption. Once data is encrypted it becomes very difficult to search and sort it, which impacts forensics, reporting, and analytics. Appropriate key management is also critical as poor key management practices can lead to disruptions in business operations and, in some cases, lost keys altogether. Without decryption keys, organisations cannot access their own data, rendering it unusable. Before encrypting, be sure to have appropriate plan in place detailing what data is to be encrypted, key management, and any other important considerations for your business.
• Auditing and Forensics
One of the often understated but very important aspects of GDPR compliance is the recording of processing (Article 39). These records or reports are intended to maintain evidence of personal data processing across the organisation and need to be kept up to date and made available to supervising authorities upon request. In addition, using forensics for incident response (whether it be for a breach or another issue) provides strong investigative and reporting capabilities while making it easier to demonstrate compliance on an ongoing basis. Having strong auditing and forensics will demonstrate to regulators your organisation’s commitment to following best practices for compliance and could serve as a mitigating factor for potential fines.
Whatever technologies you choose to adopt, it’s imperative to understand how they enable you to process personal data and put controls around that data, which include consent (opt-in), the right to be forgotten, transparency, and data portability, as users have the right to receive documentation of how their personal data is being used and stored.
GDPR and managed services: An alternative solution
While organisations are going through their GDPR compliance program and determining the impact the new regulation will have from a people, process, and technology perspective, some may find it more cost-effective to outsource to a managed security program (MSP) that handles the process for them. With the current dearth of IT security talent, this may become a more viable option for organisations who lack the internal resources and headcount but need to be compliant with GDPR.
Thomas Fischer, global security advocate, Digital Guardian
Image Credit: IT Pro Portal