As we move closer to the enforceable compliance date of May 25, 2018 for the General Data Protection Regulation (GDPR), many organizations are asking themselves if they are on track to meet the regulation requirements. Many organizations are still unsure if the regulation even applies to them. Given the severity of potential penalties for non-compliance greater of €20 million or 4% of revenue for non-compliance with core tenets of GDPR, such as violation of data subject rights or transfers of data to unauthorized third countries), this perspective covers who GDPR applies to and the key items you should explore in your organization to ensure you are prepared.
WHO DOES GDPR APPLY TO?
GDPR applies to any EU resident’s data, regardless of where it is collected, processed, or stored. Please note that I said resident, not citizen. While there are some caveats that may absolve you from having to comply (if you do not store any EU resident data in the EU and do not market goods or services to the EU, for instance) it is not yet clear how the EU member states will interpret and enforce this regulation. Therefore, best practice is to comply when unsure if it applies to your organization. Additionally, it is only a matter of time before GDPR trickles down to other regulatory authorities throughout the world, including the United States. Avoidance is only postponing the inevitable. It is important to note that this applies to data not only collected after the enforceable compliance date, but any data collected before May 25, 2018 that is still being processed or stored.
At its core, GDPR’s primary goals are to ensure the security and confidentiality of personal data. It takes a European approach to personal information where privacy is a fundamental right, residents’ and citizens’ rights come before business interests, residents and citizens own their data (regardless of where it resides), and legal authority is required to transfer data beyond EU boundaries. To ensure this happens, the regulation looks at data from the individual’s perspective rather than that of the business. This is a change in how data is viewed and valued. Traditionally, US companies have viewed data solely as an asset. With GDPR, data is something that must be protected and can also be a liability. Holding or processing data unnecessarily could bring additional unwanted risk to the organization.
GETTING READY FOR GDPR COMPLIANCE
To ensure you are ready to comply with GDPR, here are six key steps you should take immediately.
One: Reevaluate How You Classify Data
Under the prior EU directive, personal information was defined as information relating to an identified or identifiable living individual. GDPR goes further and includes online identifiers, such as IP addresses and cookies, as well as “pseudonymized” data, such as key-coded clinical data, hashed, or “anonymized” data that could still potentially be used to identify an individual. Sensitive personal data under the directive included racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal offenses, and the processing of data concerning health or sex life. GDPR expands upon this by including the processing of genetic or biometric data for the purpose of uniquely identifying a natural person. In order to comply with GDPR you must understand what data you collect and how it should be classified. This will inform later activities, such as breach notifications, logging the appropriate information, and demonstrating compliance.
Two: Appoint a Data Protection Officer
The Data Protection Office (DPO) must have expert knowledge of GDPR, as they would be subject to enforcement proceedings in the event of non-compliance. To ensure that your DPO is successful, they should have a thorough understanding of your organization and data. They must be established in the EU, can be a full or part-time employee or contractor, and must be designated in writing to the supervisory authority. There are specific reporting requirements that come with GDPR and reporting channels in the event of an incident. The DPO will be the primary point of contact with their supervisory authority in the event of a data breach.
Three: Conduct a Data Protection Impact Assessment
The DPIA is required when new technologies or processes are introduced that are likely to pose a high risk to personal data protection. While security is already almost always in mind when designing new systems, GDPR explicitly states that data protection and privacy must be addressed when new systems are introduced. The strictest available security designs must be configured by default. To change these strict security settings would have to be a manual opt-out, instead of an opt-in. Often companies take the latter approach in current practices, so this is something to keep in mind when operating under GDPR.
Four: Understand Breach Notification Requirements
Many organizations already have a Cyber Incident Response Plan, but this plan probably does not address additional steps to take if EU resident data is compromised. Consider an initiative in your organization to integrate DPO notification responsibilities with the overall cyber incident response plan. Lack of communication between these initiatives could result in failing to conduct proper notification and ultimately penalties.
Five: Ensure You Are Logging the Appropriate Processing Activities
GDPR is fairly vague in defining how organizations should log this information within their environments. They do, however, define what information controllers and processors shall maintain a record of. This includes the purpose of the information, the categories of data subjects and data that you are receiving, who you share data with, transfers of data to other countries, how long you are retaining data, and the security measures you have in place to secure this data. On the surface this seems easy to track, but in many cases, it can be difficult to ensure you have complete knowledge of who is accessing what information. If a third-party cloud provider is replicating your data to somewhere in the EU, you are still responsible for that data.
Six: Demonstrate Compliance
Now that you have properly classified your data, appointed a DPO to oversee your program, know your notification responsibilities, and are logging your processing activities, you need to demonstrate compliance. This initiative must be formally documented, approved by top management, and capable of undergoing an audit. The results of audits to your program will need to be shared with your supervisory authority by your DPO. GDPR’s main message is about transparency in personal data and ensuring that reasonable controls have been put in place to protect that personal data. Demonstrating that you have controls that are proportional to the risks facing the data you are processing or storing will assist in successfully demonstrating GDPR compliance. Transparency is key.
Following these six steps will help you navigate the road to compliance, but there is more you should be doing to build and maintain a practical and sustainable program. If you are still unsure if GDPR applies to you, or would like to discuss how to implement the above initiatives, Avalution can help. Please contact us today to learn more.