On May 25, 2018, the General Data Protection Requirement, one of the most far-reaching global privacy laws in decades, will take place. And as it does, it will place a huge responsibility upon any business that handles the personally identifiable information of any EU citizen, regardless of where that data is processed.
Backed by the European Parliament, the Council of the European Union, and the European Commission, the GDPR gives data subjects (i.e., customers, employees, and contractors) the right to demand to know what data a business has on them, to request that data be passed to a competitor, or demand that the data is deleted. For any business that gathers or processes personal data, this law is huge; failure to comply with it could impose significant fines, civil penalties, and additional compliance costs totaling as much as four percent of annual turnover. Plus, European regulatory authorities retain the power to intervene operationally against companies not in compliance with the GDRP, including halting all information processing immediately. For some companies, this would mean essentially shutting down the entire operation.
Below is a look at GDPR implementation at a glance from the ISF.
The ISF has prepared a handy guide for building a GDPR compliance program that consists of a preparation phase and an implementation phase. But these will take as much time as an organization has to give them, so companies should begin their GDPR compliance work now.
Phase A – Preparation
A.1 Discover personal data
A.1.1 Define personal data
A.1.2 Maintain records of personal data processing
A.2 Determine compliance status
A.2.1 Conduct data discovery exercise
A.2.2 Perform GDPR requirements gap analysis
A.3 Define GDPR implementation scope
A.3.1 Identify key GDPR compliance activities
A.3.2 Create GDPR compliance plan
B.1 Satisfy role requirements
B.1.1 Designate an appropriate data protection officer
B.1.2 Assign roles and train staff
B.2 Protect personal data
B.2.1 Apply data protection by design and by default
B.2.2 Apply appropriate security to data processing
B.3 Manage data protection impact assessments (DPIAs)
B.3.1 Identify when DPIAs need to be conducted
B.3.2 Conduct DPIAs on specified personal data processing
B.3.3 Determine how DPIA findings will be addressed
B.4 Demonstrate lawful processing
B.4.1 Determine legal basis for processing personal data
B.4.2 Obtain and revalidate consent of data subjects
B.4.3 Handle processing of special categories of personal data
B.5 Uphold data subject rights
B.5.1 Resolve requests for data subjects upholding their rights
B.5.2 Demonstrate transparency of personal data processing
B.5.3 Respond to subject access requests
B.5.4 Support rectification of personal data
B.5.5 Apply restrictions on personal data processing
B.5.6 Handle objections to processing of personal data
B.5.7 Enable personal data portability
B.5.8 Erase personal data as requested by data subjects
B.5.9 Investigate objections to automated decision making
B.6 Meet data transfer requirements
B.6.1 Establish process for managing personal data transfers
B.6.2 Protect cross-border transfers of personal data
B.7 Respond to personal data breaches
B.7.1 Identify suspected data breaches
B.7.2 Investigate personal data breaches
B.7.3 Report personal data breaches to supervisory authorities and data subjects
Source: Internet Security Forum
The GDPR is a big enough regulation to affect a company’s entire risk profile, if it is not handled appropriately. And the compliance needs here can be so extensive, and the time left in which to begin work is so short, that for many organizations, complying can be an overwhelming task. To that end, the Internet Security Forum (ISF) has released the GDPR Implementation Guide, a guidance document that provides a detailed roadmap for building an organizational effort to complying with GDPR.
“To get the most out of the GDPR Implementation Guide, an organization should consider its current data protection practices and how to improve those practices in line with GDPR requirements,” says Steve Durbin, managing director of the ISF. “Utilizing the GDPR Implementation Guide, organizations can better prepare, implement, evaluate, and enhance their data protection activities.”
According to Durbin, the GDPR is a unique compliance burden because there is no endpoint to it; every member of an organization’s workforce has the opportunity to either comply with it or not as they gather personally identifiable information.
“If you haven’t started on GDPR compliance yet, you need to,” Durbin says. “The key thing to do is to map out the gaps. You need to have a roadmap, and you need to be able to demonstrate that you are at least making steps to achieve the end objective, and that will stand you in good stead. If you don’t have any of that in place, you are in trouble. And you don’t have very long to rectify the situation.”
Durbin says that regulators are realistic about GDPR; they understand that not all organizations are going to be fully compliant by next May, but what they are looking for is intent. Has it bought into the fact that it needs to comply with GDPR? And is it taking reasonable steps to ensure compliance?
To that end, companies will need to provide a roadmap and demonstrate progress. Those that do not, and that take a “head in the sand” approach to the new law, Durbin says, will be the ones that will garner the first big fines for non-compliance. “Nobody wants to be in that category,” he says.
The ISF Implementation Guide breaks the GDPR compliance roadmap down into two main phases: Phase A (Preparation) and Phase B (implementation). Phase A needs top project management resources, Durbin says, because the data involved will not come in a nice, tidy package. It will require an extensive, enterprise-wide audit, and the time it will take will differ depending on any given organization’s comfort with how it collects, stores, and manages data.
Phase B tends to cause organizations to ask themselves certain questions, Durbin says, such as “What process do we have in place? How do we manage data process impact assessment? How do we demonstrate lawful processing of data? How do we demonstrate that we can respond to subject access requests?” All of these are relatively new questions for organizations to ask regarding GDPR, and few organizations have ready answers.
WHAT IS PERSONAL DATA?
According to the GDPR, “personal data” has a few key characteristics, including:
Information processed lawfully, fairly and in a transparent manner
Collected for specified, explicit and legitimate purposes
Is adequate, relevant, and is limited to what is necessary
Is kept in a form which permits identification of data subjects for no longer than is necessary
Is processed in a manner that ensures appropriate security of the personal data
Source: Internet Security Forum
The bottom line, Durbin says, is that the GDPR considers an individual’s personally identifiable information to be almost sacrosanct. Supervisory authorities will have the power to make a difference in how that data is handled, and they will be looking early on for those organizations that can provide a roadmap to others by dint of their own compliance efforts.
“Nobody believes the GDPR can prevent data breaches, or that everybody will be able to tick the box on GDPR compliance on day one,” Durbin says. “But the authorities are saying, ‘this is the process, it’s here to stay, we have teeth, and we will use them if you don’t comply.’ ”
The GDPR Implementation Guide, as well as other GDPR-related materials, is available now to ISF member companies by way of the ISF website.