How Organisations Should Be Preparing for the GDPR
Kris Lahiri, Chief Security Officer for Egnyte takes a thorough look at how organisations should prepare for the upcoming General Data Protection Regulation.
A report produced by the Close Brothers in June, 2016 revealed that only 4% of British small to medium sized companies (SME) understand the impact of the European Commission’s upcoming General Data Protection Regulation (GDPR). A staggering 82% of companies surveyed have either not heard of GDPR or don’t understand its importance. The remaining 14% are seeking further advice on how it will impact their workflows.
[caption id="attachment_9362" align="alignright" width="192"]
Kris Lahiri, Chief Security Officer, Egnyte.[/caption]
Adjusting to the new rules will be easier if your organization has maintained compliance with the 1995 EU Data Protection Directive, since the GDPR builds upon it. EU businesses must ensure they can guarantee GDPR's updated rights and prepare for new ones, such as the right to data portability and, where applicable, the right to be forgotten. In a nutshell, companies operating under the current regime will have to make sure they have their shop in order between now and the beginning of 2018.
On May 25, 2018, new rules concerning the accumulation and use of data will come into effect. In the post-GDPR world, you’ll have to gain unambiguous consent before collecting personal information, you’ll need to wipe it after a predetermined period, and in the event of a breach, you’ll have to notify the relevant authorities within 72 hours of discovery.
What's more, being based outside of the EU won’t save you. If you market products to any of its member states and if you handle the data of anyone in bloc’s 508 million residents, you’ll be expected to comply. If you don’t, you could end up paying £20M in fines, or 4% of global annual turnover, whichever is higher.
So what are the steps to prepare for the GDPR?
Phase 1: Awareness
By now you should have raised GDPR awareness within your organisation. It's time to develop an approach, collect information on current policies and practices, and create a project plan. Gather the appropriate personnel to form a steering group and inform decision makers about the impact of the GDPR. Understand whether you are a data processor or data controller; maybe you are both.
Egnyte is both a processor and a controller. We control the personal and sensitive data of our EU employees and our file sharing solution, Egnyte Connect, processes client data. However, we do not have access to that data; our technology simply processes the data for them.
The next step in Phase 1 is to conduct a complete information audit. It is important to fully understand your personal data processing protocols and how you process customers.
Ask the following questions:
• Where is personal data stored?
• How secure is it?
• Who has control?
• Is it shared?
• Do you hold data of non-UK EU residents?
• Is data transferred across borders or outside the EEA?
What is your process for maintaining internal records? If you don’t have one, you should create a template for recordkeeping as this is a GDPR requirement. Understand the legal grounds on which you currently collect and use data. In particular, examine how consent and legitimate interests are used as the basis for processing personal data and document these.
Involve your IT department and review its systems and procedures. Can they cope with new individual rights in a timely manner? Can you adhere to response timelines if your organisation suffers a breach or if a subject requests access? Can you also comply with data access requests, data portability, the right to be forgotten, recording objections or withdrawal from processing, and deletion of information? Has your HR department reviewed staffing requirements for data protection compliance and also considered the questions above for employees in the EU?
GDPR and Brexit: How Leaving the EU Affects UK Data Privacy
Phase 2: Planning
You should have a steering committee that meets regularly to refine your plan. The group should include the following personnel: Legal Counsel, HR, IT, CISO/ Head of IT Security and Operations. It’s time to prioritize key areas, appointing a Data Protection Officer (DPO) and identifying areas with the highest risk and potential impact.
A DPO is required to act independently and report to the highest level of management. Smaller organisations can outsource this function to a consultant or firm. They will be responsible for understanding the legal basis for processing and new consent requirements:
– Processing of sensitive personal data
– Compatibility of systems with new rights such as data portability
– Shorter time frames for subject access requests.
Once you have appointed the DPO, they should conduct a Data Protection Impact Assessment (DPIA). This is required for controllers where the processing of personal data is likely to be under much more scrutiny due to the involvement of individual rights and freedoms. DPIAs will always be required when data processing is automated on a large scale.
Now that you have outlined your processes and appointed a DPO, you should review technical security measures and prepare for data breach notifications.
Set up internal procedures/strategy for data breach identification; establish the process for notification to the Information Commissioner’s Office (ICO) and affected individuals; explore what “risk” to individuals means; build in effective ways of detecting breaches.
Phase 3: Implementation
This phase requires implementing new processes, updating old policies, revising contracts and amending data collection procedures. Ensure privacy is integrated by default and only collect the minimum amount of information necessary. Remember that every product or service should include privacy by design.
Review and improve the transparency and legibility of all public facing documents. Audit your supply chain and update contracts. Revise legacy contracts to consider mandatory terms; examine the adequacy of mechanisms for cross-border transfers (i.e. contracts with cloud providers). Controllers need to review selection criteria for processors and update contracts. Processors need to understand new obligations and assess impacts.
Phase 4: Training
Stay abreast of GDPR and UK plans for data protection reforms through the Information Commisioners Office (ICO). Implement the appropriate processes and policies to initiate a change in company culture and demonstrate compliance with all GDPR obligations – including staff training. Understand how codes and certifications can help with security compliance. Be prepared to incorporate data training into your onboarding programmes.
Consider registering with Fair Data for accreditation that enables you to demonstrate mastery of best practices. Check out their top ten tips for GDPR.
The GDPR may appear overwhelming, but it presents an opportunity for organisations to approach data privacy and compliance more strategically. Information Commissioner, Elizabeth Denham says in her blog post,“The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.
Fifteen months may seem like a long time to prepare, but the months will move quickly and you will be much better off taking the approach outlined above to ensure you're prepared by May, 2018.
See the featured article on Computer Business Review