There’s less than one month to go before the GDPR implementation on May 25 2018. With that in mind, I’m going to look at how organisations are likely be challenged and tested as GDPR becomes a daily reality.
GDPR takes a wide view of what constitutes personal identification information.
It’s worth bearing in mind you need to apply the same level of protection for things like an individual’s IP address or cookie data, as for name, address and Social Security numbers.
Organisations will also need the explicit consent of the “data subject” to hold their personal data.
No more hiding obscure data processing consent terms in the small print of contracts! You need to call them out clearly so the “data subject” is providing clear consent to process their data.
It’s important to consider all the following data:
•Web data such as IP address, cookie data and RFID tags
•Health and genetic data
•Racial or ethnic data
“Right to be forgotten” - a few shades of grey
The “right to be forgotten” is also likely to present some implementation “gotchas!”. Understanding the term “reasonable” is key here. Let’s look at what “right to be forgotten” means with a practical example.
Under GDPR and UK DPA 2017 an individual data subject has the right to request an organisation holding their data should “forget them”. That is, once the data subject no longer has a relationship with the organisation.
So, for live data records this should be easy to achieve. Organisations need to delete the individual’s data record via their CRM system, thereby forgetting them within the live system. (Obviously with an audit or paper trail to prove this happened.)
Fine for the live system. However, it could be argued under GDPR or UK DPA 2017, an organisation also needs to search through all backups taken of the ERP system and then delete the entries within those backups to ensure the data subject is truly “forgotten”. The key term here within GDPR is the word “reasonable”.
(Is it reasonable to search through all an organisations backup archives to delete an individual data subject’s details? Or, is it actually “reasonable” to delete the individuals “Live” data objects from the CRM system, and then make a note? I.e. if the CRM data is to be restored from backup, the organisation needs to “Go Back” and delete those data subjects from the recovered CRM data.)
GDPR leaves much to interpretation. Thus giving the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
One thing that’s clear is the deadline.
GDPR fines and penalties
The big unanswered question is how penalties will be assessed.
Gartner believes that less than 50% of all organisations impacted will fully comply by that date. Companies found in violation of the GDPR can be fined up to 4% of their global annual revenue or 20 million Euros, whichever is higher.
How will fines differ for a breach that has minimal impact on individuals, versus one where their exposed PII results in actual damage? The consensus is that the UK and European regulators will quickly act on a few organisations found to be in breach, to send a clear message to others.
Only once the first set of organisations have been penalised, will others be able to make a better assessment on the impact of fines. However, we are not advising you wait and see what happens to competitors. If you haven’t done so already, it’s important to act now.
How GDPR will impact processes and systems
GDPR requirements will force organisations to change the way they process, store, and protect customers’ personal data.
For example, organisations will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.”
Personal data must also be portable from one organisation to another, and organisations must erase personal data upon request. (i.e. the right-to-be-forgotten.)
There are some exceptions. For example, GDPR does not supersede any legal requirement that an organisation maintain certain data.
Several requirements will directly affect security teams. One is that organisations must be able to provide a “reasonable” level of data protection and privacy to EU citizens. What the GDPR means by “reasonable” is, again, not well defined.
Possibly one of the biggest challenges will be reporting. Data breaches need to be reported to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. The related requirement to perform impact assessments is intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.
If you haven’t already, it’s important to get your GDPR strategy in place now. Compliance is complex and getting all processes into shape takes time.
Our 5 steps for GDPR compliance
- Set up a cross-functional data governance team, including a data protection officer and members from IT and business leadership. This cross-functional team should own the responsibility for GDPR compliance and will report directly to the board of directors. The team should also own the documentation of processes and decisions and policy development and do regular reviews of policies, processes, and technology choices.
- Launch a data mapping and analytics project to Identify privacy-protected data across applications, servers, storage, endpoint devices, and cloud locations. Data classification and understanding where your data is, is the foundation for GDPR compliance. You need to know your data to govern and manage it properly. Your data store is a good place to start, as most data ultimately ends up here, and you can run analytics on the secondary copy of data without impacting performance of the primary copy of your data. Conducting a data flow analysis will shed additional light on how data moves through the organisation, where copies are created, and where data ultimately gets stored.
- Use a single platform for data governance and policy management, and extend data governance and control to cloud-based data. Fragmented data stores, not only in primary production applications but also in secondary storage (like fragmented backup and archive applications), are a key challenge to achieving and maintaining GDPR compliance. Only when you have accounted for your data and can see it through a single pane of glass will you be able to respond to data access requests and data erasure requests, understand the extent of data breaches, fulfil data portability requests and, ultimately, ensure compliance. Using a single consolidated platform for backup, archive, and data management is also key to ensure protection and availability of data.
- Define state of the art technology attributes and processes for structured and unstructured data.Using technology from an innovative vendor like our partner Lequinox, will make it easier stay on the technology evolution curve. Using the technology available will help you meet GDPR compliance targets more easily.
- Develop an incident response process for communication with both the local data protection authority (DPA) and develop a policy for reporting any breaches to the public so that you can control what information gets disseminated once you get breached. Having a strong data governance process and full insight into your data will help your organisation be precise in their communication around data breaches. Don’t think “If” I have a data breach, think “what do I do when I have a data breach”
If you haven’t already got your GDPR strategy in place, it’s important to act now. A Data Assessment can be a practical first step to meet ongoing compliance targets, but also to analyse and identify ways to help data deliver tangible business benefits.
If you would like to learn more about the benefits of a Data Assessment contact OCSL today. Our Data Experts will be happy to talk through your requirements and next steps.