The European Union General Data Protection Regulation (GDPR) becomes fully enforceable on May 25, 2018. According to recent surveys, 60% of companies polled are going to miss the deadline; it’s a sobering number considering how severe the fines and penalties could be for companies found to be noncompliant in the aftermath of a security breach. The reality is many businesses still do not understand what compliance with the GDPR really means.
With perhaps a few exceptions, every business that collects personal data from customers, clients, and vendors is going to experience a security breach where that data is exposed, comprised, and/or stolen. This inevitable fact is just one of the costs of doing business in an interconnected world. The GDPR does not, and cannot, expect businesses to patch unknown security vulnerabilities or avoid security incidents altogether. However, the GDPR does require businesses to make every effort to mitigate the damage security breaches have on people, particularly EU citizens.
To that end, it is vital that all enterprises take measured and documented steps to close security vulnerabilities, prevent security breaches, and mitigate the risks when prevention fails. The mere fact that an enterprise made a substantial and documented effort in this regard could be enough to establish GDPR compliance and avoid substantial fines and penalties after a security breach.
SEE: Getting ready for the GDPR: An IT leader’s guide (Tech Pro Research)
Here are 10 specific things your enterprise can and should do in preparation by the GDPR compliance deadline of May 25, 2018. (Note: The items on the list are not presented in any specific order—all of them are important and progress for each should be well-documented.)
1. Educate employees about the GDPR
Every associate, employee, supervisor, manager, and executive must be educated on what the GDPR is and why compliance is vital to the enterprise’s success. Under the GDPR and other data protection and privacy laws, personal data should be treated as the most precious asset owned by the enterprise. An asset so precious that it must be protected and handled with care always.
Businesses should hold training sessions to explain the details of GDPR compliance to make sure every employee is aware of their role in protecting data throughout the organization. No amount of cybersecurity technology can protect a poorly trained workforce.
2. Assess privacy data
This step may seem like common sense, but many businesses fail to document just exactly what kind of personal data they collect and process. The GDPR is very specific on this point: Every business must know what data is being collected, why it is being collected, how it is being processed, and by whom. Establishing this data assessment to the satisfaction of the GDPR may require a full information audit.
3. Establish applicable GDPR policies
Every enterprise falling under the jurisdiction of the regulation should have a comprehensive GDPR compliance policy in place. This specific policy will establish the foundation from which all other forms of GDPR compliance will be derived. A typical GDPR policy will establish procedures and protocols limiting access to personal data, set consent standards, and provide for practical procedures regarding the data subject’s right to access and, if requested, delete their personal data.
Besides creating a foundation for GDPR specifically, enterprises should also develop and implement a full set of policies regarding data security. Policies dealing with intrusion detection, data classification, privacy protection, password management, auditing and logging, and encryption, just to name a few, should all be developed in support of an overall GDPR compliance policy.
SEE: EU General Data Protection Regulation (GDPR) policy (Tech Pro Research)
4. Review personal data consent requests
One of the major provisions of the GDPR is the concept of acquiring clear consent to use personal data from the data subjects themselves. The GDPR establishes a clear definition of valid and lawful consent with regard to data subjects:
“Consent is an unambiguous indication of a data subject’s wishes that signifies an agreement by him/her to the processing of personal data relating to him/her.”
Every organization that collects and processes data should review their current consent requests and make any necessary adjustments to achieve GDPR compliance. In general, valid consent under the GDPR needs to be freely given, specific to a purpose, and unambiguous. If your enterprise consent requests do not meet these standards, you will have to change them before May 25, 2018.
SEE: GDPR consent request forms: Sample text (Tech Pro Research)
5. Check data management procedures
While the GDPR requires policies and procedures that establish enterprise-wide data security, there are also specific provisions of the regulation that require organizations to provide data subjects with access to their data.
Under the GDPR, a data subject must be able to request access to their data to check it for accuracy, assess what their data has been used for, and audit how it has been processed. In addition, data subjects must be able to request an electronic copy of their personal data that can be transferred to another organization. The data subject must also be able to request that all of their personal data be deleted in a timely manner.
If your enterprise does not currently provide these mechanisms for all data subjects, it is not in compliance with the GDPR and is subject to fines and penalties. This is a non-negotiable provision, and developers should begin working on these provisions immediately.
6. Document data privacy by design
Another main principle of the GDPR is the concept of privacy by design. Organizations collecting and processing personal data must design products, services, and public-facing communication infrastructure with privacy in mind from the very beginning of the development process.
This means that every development project should have a section stating the impact it will have on data privacy. Data Protection Impact Assessments should be an integral and documented part of every project going forward. To establish compliance with the GDPR, enterprises should implement procedures that require these steps and retrain personnel to include data protection in all development processes.
7. Develop procedures for security breaches
Under the GDPR, enterprises are expected to have a comprehensive plan in place for when personal data is exposed, compromised, and/or stolen because of a security breach. Every enterprise should have an intrusion detection and an incident response policy to mitigate any damage caused by a security breach.
Furthermore, under the GDPR, enterprises are expected to have a documented and functioning procedure for notifying data subjects that a security breach has occurred. The notification should include information about what data was compromised, when it occurred, that status of security vulnerability, and information on how data subjects can get more information.
These procedures are mandatory for GDPR compliance and should be implemented before May 25, 2018, without exception.
SEE: GDPR data breach notification letter (Tech Pro Research)
8. Assess the need to hire a Data Protection Officer
Under certain conditions, the regulative authorities enforcing the GDPR expect organizations to appoint or hire a Data Protection Officer (DPO). Persons in this position will be independently responsible for ensuring data protection policies and procedures are implemented and followed at all levels of the enterprise. The DPO will also serve as the main representative contact for authorities investigating security incidents.
The DPO is a high-level position that must report to an executive of the company. The DPO must also be qualified to hold the position either from an education in compliance law or experience in compliance law. Finding qualified candidates is likely to be a long process, so the sooner your enterprise begins its search the better.
At the very least, every enterprise should appoint a designated lead data protection authority for the organization so that regulators have a point of contact for the enterprise.
SEE: Hiring kit: GDPR data protection compliance officer (Tech Pro Research)
9. Perform Data Protection Impact Assessments
The GDPR requires enterprises to perform Data Protection Impact Assessments for any new processing or changes to processing deemed to represent a high risk to the privacy and protection of personal data. While this assessment is mandatory for future development, it can also be useful when looking back at past projects.
Enterprises should perform the assessment on their current processes and examine any previous process changes or implementations of new processes for data privacy and protection concerns. The documentation of this auditing procedure could reveal areas of data privacy and protection vulnerability and advance the enterprise toward the goal of GDPR compliance.
10. Analyze third-party risks
Under the GDPR, enterprises can be held liable for security breaches resulting in compromised personal data occurring while the data is controlled or being processed by third parties. Enterprises should conduct a thorough evaluation of the data protection policies and procedures implemented by any third-party contractors or partners.
In the eyes of GDPR regulators, security breaches occurring while data is controlled by non-GDPR compliant third parties could be enough to deem your organization non-compliant as well. Documenting and assessing your third-party partners and contractors for data protection and privacy policies and procedures could save your company substantial fines and penalties.
Effort counts when it comes to GDPR compliance
No security protocol is perfect, and data breaches are a fact of life in the modern business environment. The most important thing to remember about complying with the GDPR and other data protection laws and regulations is that effort counts. Enterprises that can show documented proof that good-faith effort toward GDPR compliance has been made and, that data protection and privacy policies, protocols, and procedures are in place, will have a much better chance of avoiding fines, penalties, and financial hardship when the next security breach occurs.