Unless you have been living in a cave, you most probably have heard about the General Data Protection Regulation (GDPR) fuzz. Even worse, you might be responsible for actually implementing GDPR in your company/organization. Although the fines and sanctions for non-compliance will be daunting, you don’t need to panic. With the correct planning, using administrative, IT-governance and technical controls and measures you can successfully manage to comply with GDPR in time. The following guide does not discuss the background and introductory issues but rather highlights some of the more important points to have in mind in order to jump-start the GDPR compliance.
Disclaimer: GDPR is a legal text with lots of exceptions and peculiarities, therefore legal advice may also be needed.
(Very) High level overview
Starting with a very high level overview, you will first have to answer some fundamental questions so that you get into the framework and set the scope of the GDPR compliance project.
- What personal data is held across the organization?
- What kind of data, who are the subjects? Are there any data belonging to children.
- What kind of permissions have been obtained for that data?
- Did the Subjects give their consent (how)? Or did you obtain the data following contractual requirements? Maybe it is an issue of public interest?
- Note that consent is not the only way to go and that if your processing is based on consent then the subjects have stronger rights.
- What processes and systems are already in place for handling personal data?
- Review your IT, Network and Applications architecture. Hopefully, you already have in place an array of security processes, systems and controls.
- Note that an already existing Information Security Management System such as ISO 27001 covers a great deal of measures to protect the handling of personal data. However, an ISO 27001 certification does not substitute nor levy the obligation to be GDPR compliant and cannot cover all GDPR requirements alone by itself.
- How is personal data secured throughout its lifecycle?
- Identify the processes that involve personal data.
- Personal data must be protected not only during their active lifetime, but also when they are archived to comply with data retention laws.
- Are personal data being transferred outside the organization?
- Are data being transferred to 3rd parties and/or other entities, in the same or another country?
- Are there subcontracting/outsourcing agreements?
Preparing for GDPR Compliance
Once you have the framework set and the fundamental questions answered, you can proceed to the actual GDPR preparation, taking into consideration the following basic points:
- Management buy-in
- GDPR is actually a law (with fines that may go up to 4% of the gross revenue of the company group), so you had better make sure senior management has realized its importance.
- You will need to appoint GDPR roles (and possibly a Data Protection Officer, see below)
- An auditor assessing conformance to any standard or compliance to law will always look for documentation. Therefore, you will need to have documented policies/procedures/work instructions as well as records proving that specific actions have indeed taken place. Once again ISO 27001 can provide a good background to build upon.
- You must document all personal data you hold in a data inventory.
- Information must be classified according to its importance.
- The dataflow of data along with the general architecture must be reviewed. You typically need to examine the systems/databases, the purpose of the processing, the categories of data processed, the methods of data transfer, the access to the data (including access from 3rd parties), the hosting locations (as well as the backup locations).
- Information must be stored at the end of its useful life, to comply with retention laws. It will still be subject to GDPR provisions.
- In many cases, a data protection impact assessment must be carried out.
- Processing of data must take place according to GDPR principles, ensuring fair processing procedures, fair processing notices and fair processing register/records.
- Privacy notices and policies
- You must use a clear and plain language with notices and policies being transparent and easily accessible.
- Data subjects’ rights
- A major part of GDPR compliance, concerns the data subject’s rights. They have more rights and they can freely exercise them. They can ask to have access to their data, to have it corrected, ported, erased etc, and they can remove the consent they have given. As such you need to have the necessary forms and procedures in place.
- If the personal data you have stem from a consent-based process (and not, say, from contractual clauses) then you have to clarify your consent (and withdrawal) procedure. How do you seek for consent? How do you obtain it? Is it recorded? Can you verify it? What forms do you use for consent and for its withdrawal?
- Forget all about the tricks of the past in consent forms. You should not use complex wording, double negations, small letters, hidden or non-aligned boxes etc. Moreover, you should not mix affirmation and negation questions one after the other, and so on.
- Are there any children’s data? Then you need the relevant parental forms. You must also have systems in place that can assess users’ ages and if deemed they are non-adults seek parental consent.
- Data Protection Officer
- For certain specific categories (e.g. public authorities), or when there is a regular and systematic monitoring of subjects you will need to appoint a Data Protection Officer. The DPO can actually be employee of the company, but he must have direct access to senior management and be able to directly report to it.
- Data security breaches
- Gone are the days when companies and organizations could silently cover breaches and other security incidents. With GDPR you must have policies and procedures to react in a very prompt manner, notifying subjects within 3 days of the event.
- A breach register record must be maintained along with the breach notification form.
- Standard evidence collection and event reporting procedures must also be in place.
- Accountability Framework
- Given the legal background of GDPR, accountability plays a major role. It must be enforced through Policies, Monitoring, Training, Audits and Assessments (see Assessment too). Training is important so that all parties realize the importance of GDPR and their obligations.
- Apart from internal employees and staff, contracts with 3rd parties as well as any subcontracting or outsourcing must include GDPR clauses, while at the same time an information security procedure must be in place for external parties.
- Assessing the security status and the compliance level is mandatory, starting with a Risk Assessment and Privacy Impact Assessment.
- Reviews of policies, procedures, work instructions, forms and all documentation must take place periodically to make sure that everything is up to date.
- Internal and external audits must regularly take place, along with penetration tests.
- Certifications (e.g. against ISO 27001) further help the correct implementation of GDPR, but, in any case, they do not substitute GDPR itself nor they are required.
- There must be a procedure for reporting and responding to spontaneous security findings.
- The operation of the security management system on which GDPR will be based must be monitored, using measurement records with the relevant indicators and metrics.
- Privacy by design and technical controls
- It is not a surprise that GDPR advocates “privacy by design”. Services and products must be privacy aware with technical measures embedded to safeguard privacy.
- Encryption, Pseudonymisation and Minimisation/Compartmentalisation are typical privacy properties that should be respected when designing a product or offering a service.
- GDPR is not only about policies and legal staff. Technical controls will be needed, according to the state of the art and security best practices.
- Cross border data transfers
- A legitimate reason must exist in cases where private data is crossing the country’s border. The receiving entity must adhere to GDPR principles and binding corporate rules must be in place.
Now that you have gone through this short GDPR heads up, you will, hopefully, stand in a better position to start planning and implementing your GDPR compliance project. If you already have an Information Security Management System in place, then you can build upon it. Otherwise more effort will certainly be needed. In any case, you will need the correct mixture of administrative measures and paperwork, as well as adequate technical controls. Last but not least, consider consulting your legal advisors to steer you through the legal issues of GDPR.