The culmination of data protection laws in EU, the General Data Protection Regulation is the newest solution for a digital age with ever-increasing security threats. The overarching goal of the GDPR is to create transparency that benefits individual rights and economic growth for business alike. One of the core thought processes behind the GDPR is that by creating one simplified regulation, we can do away with the current broken and fragmented processes. Although many businesses will certainly struggle to understand how strict the GDPR is, once they become compliant, they will find it simpler and more cost-effective to conduct business across the EU.
What Types of Companies Must Comply with the GDPR?
Essentially, any company that does business, or plans to do business, with residents living in one of the countries within the European Union (EU)—wherein they will handle those residents’ data—must comply with the requirements of the GDPR.
Approved by the EU Parliament in April 2016, the GDPR sets out to level the playing field for companies of all sizes performing transactions with EU citizens to thoroughly and properly shepherd their valued clients’ data.The GDPR is applicable to any processing and all data that originates within the EU, regardless of what type of company is doing the data processing, handling, storage or transferring.
The only way to opt out of GDPR compliance, or fines due to non-compliance, is to eliminate European customers and users from your potential market. In our global economy where so many businesses—especially multinational enterprises—rely on e-commerce and overseas sales for a healthy profit, eliminating 28 countries chock full of potential consumers who need certain products or services, seems like a self-defeating option.
How Do I Know if I am GDPR Compliant?
Here are six questions to ask yourself to determine if your organization complies with GDPR regulations.
1. What personal data do we hold? and why do we keep it?
From this point forward, as the CISO in the age of the GDPR, you need to always know precisely where any personally identifiable data (PII) held by your organization is stored. The best strategy to keep track of all personal data is to generate a Data Protection Impact Assessment (DIPA), which clearly documents and analyzes all high-risk data processing areas in your system.
During each DIPA, your team must be able to pinpoint any data that is being collected by an organization end user and determine why that data is being collected. Performing this exercise prepares your organization to answer these questions for spontaneous regulatory inspections and to better prepare for consistent and complete GDPR compliance for official audits.
There are a few additional issues to consider when it comes to locating your organization’s personal data:
- Data file formats subject to GDPR compliance include hard copy, visual, audio and alphanumeric.
- Must be able to unify records for a 360-degree view of every EU customer.
- Understand your data flows, such as where any sensitive data is used then later moved between databases and applications.
2. Who has access to the personal data that we handle?
All access to personal data must be authorized, under mandate of the GDPR. It is vital that you know of any activities within your organization that require access to personal data and why it is necessary. Data subjects have the right to request this information from you at any time, per Article 15 of the GDPR, so you must always have an appropriate answer that is in compliance with the GDPR.
Authorize only essential users in your organization to handle personal customer data in the live database, based on that data’s relevance to user’s specific job role when accessing it. Set up controls that alert you to any access—authorized and unauthorized—to personal data.
3. Do we collect or store any unnecessary data regarding EU residents?
One of the core concepts of the GDPR is “data minimization,” meaning that when processing data for EU citizens, it is best to err on the side of “less is more,” if the information is not essential to your organization or the data subject’s account.
4. Can we quickly detect, investigate, and send notifications of a data breach?
The GDPR requires that organizations holding any data of EU residents notify the Data Protection Authorities (DPA) of the detected and investigated data breach within 72 hours of the data breach discovery. Any breach that is likely to “result in a risk for the rights and freedoms of individuals” are subject to the need for notification. Your data processors must also notify customers and controllers without delay once becoming aware of the data breach.
5. Do we comply with all the data privacy rights of EU citizens?
Again, the cornerstone of the GDPR is to provide better rights and protections to EU citizens regarding their personal data. Following are a few key data subject rights with which your organization must comply:
- Enhanced Right to Information and Transparency. In addition to the rights afforded to data subjects under the Data Protection Directive, which preceded the GDPR, they are also entitled to: know the approximate retention period of their data, the right to withdraw their consent at any time and the right to lodge a complaint.
- Right of Access and Rectification. The data subject has the right to request information about the processing of their data. Also, if the data subject discovers an error in their data, or they find any other inconsistencies, they have the right to request rectification of that error.
- Right to Erasure or “Right to be Forgotten.” The data subject has the right to request data erasure if processing is no longer necessary for its originally intended purpose or any time the data subject chooses to withdraw his or her consent.
- Right to Restriction. The data subject may select the right to restriction, rather than erasure of the processing of their personal data. The data subject may request restriction in cases where their personal data is not accurate or pending the decision on a complaint they have lodged.
- Right to Data Portability. The data subject may request a copy of their personal data in a commonly used and machine-readable format, such as a PDF. The reason for this right is to allow the data subject the opportunity to transmit their processed personal data to another controller—of the data subject’s choice—without any obstruction from the controller that originally collected the data.
Make sure that the staff members who may handle such data subject rights matters understand the finer points of each of these rights and that they are granted to EU residents.
6. Do we need to appoint a DPO?
A Data Protection Officer (DPO) acts as an independent advocate for the protection of EU data subject rights. He or she is responsible for the proper care of all EU resident data, according to the GDPR.
Companies that need to appoint a DPO include those that process or store large volumes of personal data, whether for employees, individuals outside the organization, or both. Additionally, DPOs must be appointed for “all public authorities, and where the core activities of the controller or processor involve ‘regular and systematic monitoring of data subjects on a large scale,” shares Digital Guardian.
If you do need to appoint a DPO, his or her duties will include informing staff about important GDPR compliance requirements, ensuring staff training on data processing, conducting GDPR audits to ensure compliance and address issues quickly and serving as a liaison between your organization and the GDPR authorities. The responsibilities of the DPO should include:
- Provides necessary education and training for executives, management and employees on important GDPR compliance requirements, along with any other relevant EU or Member State data protection laws. The DPO must regularly reinforce the message regarding the importance of their compliance.
- Conducts audits to ensure compliance. These audits also allow for the opportunity to catch and address potential issues proactively.
- Serves as the contact person between the organization and the GDPR Supervisory Authorities.
- Communicates with data subjects, informing them about how their data is being used; as well as their rights to have their personal data erased. He or she also provides information about the measures in place to protect their personal information.
- Prepares and maintains comprehensive records of all data processing activities, as well as the purpose of those activities, performed by the organization. The DPO must make these records public upon request.
- Oversees performance and provides advice on the effectiveness of data protection efforts.
- Monitors the risk associated with processing operations, considering the nature, scope, context and purposes of processing.
What is GDPR compliance checklist?
Here are five checklist items to tick off as your organization prepares GDPR compliance efforts.
☐ Inventory Your Data and Investigate Its Current Security Status
Inventory and investigate your data to learn what data you hold on EU-based citizens. If you do not have any data on EU citizens, you may not need to proceed. However, given the global nature of business today, it is unlikely that you do not have some data in your system. If you do hold any EU resident data in your system, explore sites on the open, deep and dark web to see if you find any trace of your EU customers’ information. This step can help you proactively discover data leaks, so you can address them as soon as possible. With this step, you can begin your GDPR compliance project with a clean slate.
☐ Adjust Your Privacy Controls to Align with the GDPR with Privacy by Design
The GDPR requires U.S. companies to review privacy and data protection controls to ensure incorporation by design into any new or existing systems that involve personal EU citizen data.You may find yourself working without formally defined processes in designing and building a new environment. Many organizations are defining an overarching process that can be used by other business functions. Once built, these companies are training users from IT and other business areas within their organizations to incorporate privacy by design.
☐ Provide an Opt-In Requirement for Data Sharing
Since so much of the GDPR focuses on giving EU citizens a variety of information and freedoms regarding their data, companies are not allowed to share EU consumer data as a regular course. Therefore, instead of the standard opt-out model used in the U.S., which gives customers the option to not have their data shared with third-parties, you will need to provide an opt-in option.You will not be allowed to collect or share EU consumer data by default, so must give them the choice to opt-in, wherein they must specifically consent to the collection and sharing of their data. You must provide this information in a direct, clear, specific and unambiguous way to EU citizens.
☐ Prepare for Data Protection Impact Assessments
The GDPR mandates that companies perform Data Protection Impact Assessments (DPIAs) to zoom in on “high risks” to EU consumer data privacy, which may come to light during data processing.Since the impact could be significant once GDPR takes effect, many companies are performing preemptive, or “look back,” DPIAs on their processes and systems that may pose the highest risks. With this step, you can start the new GDPR phase on a completely level playing field.
What Not to Do When Seeking GDPR Compliance
Don’t compartmentalize GDPR, so instead of looking it as simply a data security issue; look at GDPR as a way to make your entire business run better. Every step that you and your GDPR team take toward compliance should focus on the global internal benefits to your entire business.
Don’t forget that GDPR is more than a series of boxes to check off your compliance list. Each day, the world becomes more digitally focused. Our global online economy places us right in the middle of a monumental digital transformation that stands to impact consumers from all around the world. This regulation will help your team continue adapting to the digital nature of global commerce as more nations are likely to follow suit in their own way.
Don’t assume that any software and other technological products will ensure GDPR compliance. Products geared toward providing detailed information, guidance and training can only take you so far. You will need to manually check everything since so much is on the line.
What to Do When Seeking GDPR Compliance
Do make sure that your decision-makers, staff, internal stakeholders and any other vested parties understand what GDPR is and why it is so important to the security of your customers and the success of your business.
Do hire an auditing firm that can help you navigate the many requirements associated with the GDPR to take some of the weight off your—and your busy IT team’s—shoulders to ensure full compliance and an added measure of confidence, thanks to professionals who have dutifully and thoroughly gone through all the details of the GDPR and are eager to share their knowledge and experience to help you.
Do document all the personal data that your organization holds, as well as where it came from and with whom, or what other entities, you have shared it.
Do review your organization’s current privacy notices, and launch a plan to make any necessary changes to meet the GDPR implementation deadline.
Do make sure you have good risk management since a risk-based approach is critical for any data security plan.
Do designate or hire a DPO, if you are not the DP and have not already filled this crucial position, to take responsibility for data protection compliance. Determine where this key staff member’s role fits within your organization’s structure and your governance arrangements. Your DPO may work in other capacities within your organization, but they cannot be incompatible with their DPO functions. Finally, you may consider enlisting the services of an external service provider—such as a legal representative or a CPA—on a contracting basis.
Do consider any potential cross-border processing, which occurs when your organization operates in more than one of the 28 EU member states.
Do think about whether you need to implement changes to verify individuals’ ages and obtain parental consent to ensure the respective compliance with children’s protective requirements.
Do make sure that your team understands the need for strong communication; particularly when it comes to data breaches and providing appropriate notification to customers.
What Is Your GDPR Readiness Status?
The complexity of this Regulation is immense, and the consequences of non-compliance are not an option for any company, so now is a good time to reach out for some additional insights and guidance. If you need help sorting it all out, our GDPR compliance auditors at I.S. Partners, LLC. can help.