As business around the globe is preparing to fully implement and comply with all the rules set forth by the EU in its General Data Protection Regulation (GDPR) by May 25, 2018, there are still a few key points that remain less than 100% clear to many organizational leaders.
One such matter of concern for many companies involves the role of the Chief Information Security Officer (CISO) in the context of the GDPR. All companies doing business with residents of the EU need to understand this role in order to fully and confidently comply with the Regulation’s goals to reform and greatly improve data protection for European citizens.
Who Is Your CISO?
Your organization’s CISO is, as the name indicates, responsible for your information security. As data breaches and other security issues only continue to spiral in tandem with the world’s adoption of technology, this role is non-negotiable for businesses committed to protecting their data assets. On top of those concerns are those that involve the ever-changing data security landscape and diligent compliance with all incoming regulations from various governing bodies, such as the GDPR.
Is Your CISO Prepared to Expertly Manage the GDPR?
Full compliance with the GDPR by the May 25, 2018 enforcement deadline is crucial to the health of your business. You have probably heard or read about the stiff fines involved with non-compliance, and you simply do not want to risk your valued relationships with your EU customers or any other stakeholders in your business. The potential losses for all of those concerns combined could devastate your business, so your CISO must ensure that your organization is completely ready for compliance.
One way that you can ensure GDPR compliance is to make sure you put the right people and practices in place now to ensure compliance from day one, forward. But with so many new rules, you need to devise and test a solid preparedness strategy for yourself and everyone in your organization who handles data.
Following are six questions that can help your CISO determine your organization’s readiness for the GDPR:
1. What Is All of Our Information and Sensitive Personal Data That We Hold: Where and Why Do We Keep It?
From this point forward, as the CISO in the age of the GDPR, you need to always know precisely where any personally identifiable data (PII) held by your organization is stored. The best strategy to keep track of all personal data is to generate a Data Protection Impact Assessment (DIPA), which clearly documents and analyzes all high-risk data processing areas in your system.
During each DIPA, your team must be able to pinpoint any data that is being collected by an organization end user and determine why that data is being collected. Performing this exercise prepares your organization to answer these questions for spontaneous regulatory inspections and to better prepare for consistent and complete GDPR compliance for official audits.
There are a few additional issues to consider when it comes to locating your organization’s personal data:
- Data file formats subject to GDPR compliance include hard copy, visual, audio and alphanumeric.
- Must be able to unify records for a 360-degree view of every EU customer.
- Understand your data flows, such as where any sensitive data is used then later moved between databases and applications.
2. Who Has Access Rights to Personal Data That Our Organization Holds?
All access to personal data must be authorized, under mandate of the GDPR. It is vital that you know of any activities within your organization that require access to personal data and why it is necessary. Data subjects have the right to request this information from you at any time, per Article 15 of the GDPR, so you must always have an appropriate answer that is in compliance with the GDPR.
Authorize only essential users in your organization to handle personal customer data in the live database, based on that data’s relevance to user’s specific job role when accessing it. Set up controls that alert you to any access—authorized and unauthorized—to personal data.
3. Does Our Organization Hold Any Unnecessary Data Regarding EU Residents?
One of the core concepts of the GDPR is “data minimization,” meaning that when processing data for EU citizens, it is best to err on the side of “less is more,” if the information is not essential to your organization or the data subject’s account.
4. Can We Quickly Detect, Investigate and Make Proper Notifications of a Data Breach?
The GDPR requires that organizations holding any data of EU residents notify the Data Protection Authorities (DPA) of the detected and investigated data breach within 72 hours of the data breach discovery. Any breach that is likely to “result in a risk for the rights and freedoms of individuals” are subject to the need for notification. Your data processors must also notify customers and controllers without delay once becoming aware of the data breach.
5. Are We Prepared to Comply with All the Rights of EU Citizens Regarding Their Data?
Again, the cornerstone of the GDPR is to provide better rights and protections to EU citizens regarding their personal data. Following are a few key data subject rights with which your organization must comply:
- Enhanced Right to Information and Transparency. In addition to the rights afforded to data subjects under the Data Protection Directive, which preceded the GDPR, they are also entitled to: know the approximate retention period of their data, the right to withdraw their consent at any time and the right to lodge a complaint
- Right of Access and Rectification. The data subject has the right to request information about the processing of their data. Also, if the data subject discovers an error in their data, or they find any other inconsistencies, they have the right to request rectification of that error.
- Right to Erasure or “Right to be Forgotten.” The data subject has the right to request data erasure if processing is no longer necessary for its originally intended purpose or any time the data subject chooses to withdraw his or her consent.
- Right to Restriction. The data subject may select the right to restriction, rather than erasure of the processing of their personal data. The data subject may request restriction in cases where their personal data is not accurate or pending the decision on a complaint they have lodged.
- Right to Data Portability. The data subject may request a copy of their personal data in a commonly used and machine-readable format, such as a PDF. The reason for this right is to allow the data subject the opportunity to transmit their processed personal data to another controller—of the data subject’s choice—without any obstruction from the controller that originally collected the data.
Make sure that the staff members who may handle such data subject rights matters understand the finer points of each of these rights and that they are granted to EU residents.
6. Do We Need to Appoint a DPO?
A Data Protection Officer (DPO) acts as an independent advocate for the protection of EU data subject rights. He or she is responsible for the proper care of all EU resident data, according to the GDPR.
Companies that need to appoint a DPO include those that process or store large volumes of personal data, whether for employees, individuals outside the organization, or both. Additionally, DPOs must be appointed for “all public authorities, and where the core activities of the controller or processor involve ‘regular and systematic monitoring of data subjects on a large scale,” shares Digital Guardian.
If you do need to appoint a DPO, his or her duties will include informing staff about important GDPR compliance requirements, ensuring staff training on data processing, conducting GDPR audits to ensure compliance and address issues quickly and serving as a liaison between your organization and the GDPR authorities.
What Is Your CISO’s Overall GDPR Readiness Status for Your Organization?
How does your organization’s CISO feel about the upcoming GDPR enforcement deadline? Has he or she made sure that everyone understands their respective role in protecting EU data subjects’ rights? If you need help sorting it all out, our GDPR compliance auditors at I.S. Partners, LLC. can help.
The complexity of this Regulation is immense, and the consequences of non-compliance are not an option for any company, so now is a good time to reach out for some additional insights and guidance.