02 Apr What You Really Need To Know About The General Data Protection Regulation (GDPR)
– Silka Gonzalez, President, Enterprise Risk Management
Coral Gables, Fla. – Mar. 15, 2018
Chances are that you have heard the term ‘GDPR’ being spoken about in hushed tones or read snippets of news about it whilst browsing online. But so many people are still not aware of what GDPR is and what it will mean for their business in 2018. If you haven’t taken much notice until now, we’re here to give you the top facts, the information you really need to know about GDPR.
What is GDPR?
GDPR stands for General Data Protection Regulation. This new legislation marks the biggest change to European data protection rules in 20 years, and it will change the way that organizations, businesses and individuals handle customer information.
Why is GDPR important?
GDPR will apply to all members of the EU and EEA from May 25, 2018. It will replace todays legislation regarding privacy in member countries currently subject to the EU Directive 95/46. You find many of the statutes in the GDPR in the current legislation, but the GDPR is more detailed and precise in certain areas, and considers the challenges in the rapid evolving digital world, giving rise to privacy risks for data subjects. GDPR is demanding due to its detailed transparency requirements. Any company as well as other bodies that process personal data, is also to a considerable extent required to document the processing, ensure the lawfulness of processing, document the existence of sufficient procedures, provide information on security measures and to ensure that sufficient data processing agreements are in place. GDPR is important because it improves the protection of European data subjects’ rights and clarifies what companies that process personal data must do to safeguard these rights.
What are the key changes of the GDPR?
Some of the key changes outlined in the GDPR include:
- Increased territorial scope – GDPR applies to businesses both inside and outside the EU. A physical presence in the EU is not required – only that they are engaged with individuals within the EU.
- Enhanced inventory requirements – Companies must have a solid understanding of the organization’s complete data lifecycle. Data Inventory, data mapping and a record of processing activities will need to be established by the company to track personal data associated with business processes, both internally and across third parties.
- Data minimization and restriction of processing – Personal data should only be stored and processed to the extent where it is necessary to the explicit purpose for which the data was originally collected. Data shall also not be stored longer than is necessary. Finally, individuals can also restrict processing their data to certain purposes such as direct marketing.
- Increased penalties – The fines associated with noncompliance are significant and can be as much as 20 million Euros or 4% of global sales whichever is higher.
- Appointment of a Data Protection Officer (DPO) – Appointing a Data Protection Officer is mandatory for public authorities, but it is also required for private organizations if the data processing includes regular, systematic and large-scale monitoring of data subjects.
- Broader obligations for Data Controllers (organization that manage and collect EU citizens or residents) – There is increased accountability and requirements for Data Controllers including a need to demonstrate compliance by design; which includes the verification of adequate systems, contractual provisions, documented decisions about processing training being in place within the organization. Controllers will also be required to ensure all contracts with processors comply with GDPR.
- Direct obligations for Data Processors (any company that processes personal data on behalf of the Data Controller) – GDPR places direct statutory obligations on Data Processors. Data Processors will be subject to direct enforcement by supervisory authorities, serious fines for non-compliance and compensation claims by data subjects for any damage caused by breaching the GDPR.
- More timely data breach reporting – Should the data breach result in a significant risk to the individuals impacted, the Data Protection Authority (DPA) must be notified within a 72-hour time limit and impacted individuals must be notified without undue delay.
- Right of data portability – Data Controllers must provide data subjects with the means to move their personal data between controllers. This can be provided in two ways: an exported format which should be readable to any other controller, or an automated means of transferring data between controllers without the data subject being an intermediary.
- Right to Erasure (also known as Right to be Forgotten) – Individuals may withdraw their consent to processing their data at any time, and ask the data controller to erase their personal data. This must be done without undue delay. Reasonable steps must also be taken to inform third parties to remove any copies of that data.
- Stronger data subject consent – Explicit consent is required when collecting personal data from individuals with communication on why the information is being collected.
- Data Protection by Design and Default – The concept of privacy needs to be built into the fabric of the organization’s data practices and the information and platform architectures. Transparency, lawfulness, data minimization and data quality must be managed at each stage of the data lifecycle.
- Security and risk management – Organizations need to “implement technical and organizational measures to ensure a level of security appropriate to risk.”
What will GDPR mean for your business?
GDPR will come into force on 25th May 2018 and will replace the 1995 EU Data Protection Directive. Companies and organizations, as well as individuals processing or controlling customer data, will be impacted by this new legislation. GDPR will apply to all sensitive information including things like name and address, sexual orientation, religious information and genetic data. Under the new legislation, individuals will have the power to request what information a company holds on them, which means businesses will be under pressure to become better at data management and a new fine regimen will also apply.
An individual will be able to request access to information held on them by companies and organizations and the business will have one month to comply. GDPR doesn’t just apply to identifying information, the new act will also cover pseudonymized data, that is, personal data that been replaced with pseudonyms or artificial identifiers, for example, replacing a customer name with a unique identifying number in a database or file.
How do I get ready the GDPR?
- Prepare a data map, which is a report on what personal data the company processes throughout its organization, where that data flows throughout the organization, where it is stored, who within the organization is responsible for it, what it is used for, and with whom is it shared. This includes both personal data of the company’s employees and other personnel, as well as personal data of customers, clients, client representatives and other data subjects. The data map should also identify any “special categories” of personal data that are processed by the company.
1. Special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation and data relating to criminal convictions or offences. - Determine whether the company is required to appoint a Data Protection Officer. Either way, appoint an individual to be in-charge of Data Protection compliance within the company.
- Decide how the company will receive and process data subjects’ requests to:
1. receive a portable copy of the personal data that the company has about them,
2. make changes to the personal data that the company has about them,
3. opt out of automated decision making by the company,
4. and request that the company delete the personal data that it has about them.These requests can be made by employees/personnel or by other data subjects. - Determine whether requests will be handled manually or by automated means.
- Determine what the contact points will be for data subjects to make these requests.
- If request will be processed manually, determine who will process these requests and how this will be done.
- If requests are to be processed by automated means, develop code for receipt and automation of these requests.
- Determine whether the company engages in data processing activities that warrant privacy impact assessments. If so, create a template and process for privacy impact assessments and perform privacy impact assessment as needed. Also derive a process such that future rollouts which warrant privacy impact assessment will be identified so that a privacy impact assessment will be done.
- Update and/or prepare privacy notices to company personnel, customers, clients and other data subjects about whom the company processes personal data.
- Decide what is your legitimate purpose (among the options afforded by the GDPR) for your data processing activities in each case. In many cases it will be for performing under an agreement with the data subject. This is the case for employees and customers with whom the company has agreements. To the extent that consent of the data subject is being relied on, review the method of obtaining that consent to see that it complies with the GDPR’s requirements for consent.
- Document the company’s information security program and its security incident response program.
- Determine which member state the company desires to identify as its “one-stop shop” Data Protection Authority. Determine whether registration requirements apply in that member state. If registration is required, register as required.
- Inventory company vendors and service providers that process personal data on behalf of the company. Check existing contracts to see whether GDPR-style provisions are included. If not, seek addendum to be signed by vendor or service provider. In addition to binding them contractually, also put in place a process for vetting vendors’ and service providers’ data protection practices. Vendors and service providers can be bucketed into priority categories based on how much personal data they process, the nature of the data they process, and the extent to which they process it.
- Determine how the company legitimizes exporting personal data from Europe under the existing Personal Data Directive. Model contracts? Privacy Shield? Binding corporate rules? Another means? Depending on what is already in place, determine how the company will legitimize exporting the data from Europe under the GDPR.
- Review or prepare a record retention policy for compliance with the GDPR’s requirements on how long personal data can be retained and under what circumstances it must be deleted or de-identified.
- Check the company’s existing employee training modules to see if they cover what is required under GDPR. If not, add content as necessary.
- Determine what direct marketing the company engages in. Review extent to which consents are obtained for direct marketing. Consent is required in some but not all circumstances. Train personnel who are involved in direct marketing.
- Decide how the company will document its data processing activities now and going forward.
How can Enterprise Risk Management (ERM) help?
ERM is well placed to help you with the GDPR. ERM can provide practical advice on how to prepare in a comprehensive and proportionate way for the threats and opportunities it presents. We guide companies in
- Data discovery – using automated tools (Structured data – Database discovery; Unstructured data discovery – DLP will not discover all of this data)
- Data flow mapping
- Compromise Assessment
- GDPR Gap Analysis
- Remediation – based on Compromise and Gap Analysis
- Formal Data Protection Program
- Data Protection Architecture
- Data Protection Policy Management
- Third Party Management
- Data Inventory Management
- Data Protection Risk Management
- Data Protection Incident Management
- Data Protection Training and Awareness Management
- Data Protection Communication Management
The new legislation will mean changes to data management processes and most companies and organizations will be affected, particularly those holding customer information on file. Will you be ready for the GDPR in May 2018?
– Silka Gonzalez, CPA CISSP CISA CISM CITP QSA, is President at Enterprise Risk Management
Enterprise Risk Management (ERM) is Cybersecurity company that specializes in Cybersecurity services and training. ERM’s services include Cybersecurity strategy, assessments, remediation, implementation, digital forensics, products and cybersecurity culture and awareness training. ERM has served over 300 clients in over 20 industries. Clients range from private and publicly held multinational companies to small businesses. Sample industries include banking, financial services, education, government, healthcare, retail, and technology.
© 2018 Enterprise Risk Management, Inc. All rights reserved.