Many organizations that do business in the European Union are struggling with how to appropriately and reasonably...
comply with the data privacy and security requirements of the European Union General Data Protection Regulation by May 25, 2018.
The General Data Protection Regulation (GDPR) applies to all companies processing and holding the personal data of persons residing in the European Union (EU), regardless of the company's location.
Consequences for noncompliance with GDPR requirements can be very costly. Organizations can be fined up to 4% of their annual global revenue or 20 million Euros, whichever is greater.
Enterprises should familiarize themselves with some of the key GDPR requirements, as well as practical ways to comply with them.
Define how GDPR applies to your organization
First, identify how GDPR applies to your organization. Two types of organizations are subject to GDPR -- data controllers and data processors.
A data controller is an organization that determines the purpose and methods for processing personal data, such as a retailer that collects personal data while selling products to EU data subjects. A data processor is an organization that processes personal data on behalf of a data controller, such as a marketing firm that sends emails to EU data subjects on behalf of a retailer.
GDPR is expected to be applied to all data subjects in the EU, including EU citizens, noncitizen residents and even tourists visiting the EU.
GDPR requirements also apply to organizations outside the EU that process or monitor the personal data of EU data subjects, such as a U.S.-based developer that creates an application that, while being used by EU data subjects, collects personal data about them.
Identifying whether your organization is a data controller or data processor is a critical first step in understanding the organization's GDPR obligations and implementing appropriate controls to meet them.
Create a personal data map
For many organizations, one of the most challenging parts of complying with key GDPR requirements is the regulation's definition of personal data. GDPR broadly defines personal data as any information related to a person that can be used to directly or indirectly identify the person. Such data can include, but is not limited to:
- Email address
- Financial account details
- Social network posts
- Medical information
- IP address
- ID number
In order to implement appropriate controls and processes to protect personal data, organizations need to thoroughly identify and map how such information is collected, managed and stored, as well as how it flows in, through and out of the organization. It will be difficult for an organization to achieve GDPR compliance if it does not identify and understand the personal data it holds and the related data handling processes that it's required to protect.
A personal data map will also help identify opportunities to pseudonymize and, thus, depersonalize personal data -- something that is encouraged by GDPR.
Smaller organizations may be able to manually map their personal data, but larger organizations will likely need to use a data mapping tool from a vendor such as Integris or OneTrust.
Implement cybersecurity best practices
GDPR compliance requires data controllers and data processors to implement appropriate technical and organizational security controls to protect personal data. The appropriateness of controls will vary among organizations depending on the type and amount of personal data they collect and the methods they use to handle the data. Organizations should use a risk-based approach that appropriately protects personal data while enabling important business processing and the storage of such data.
Base your cybersecurity program on a widely used and accepted set of cybersecurity best practices, such as the National Institute of Standards and Technology's Cybersecurity Framework or the Center for Internet Security's Critical Security Controls. Another option would be to follow an industry cybersecurity standard, such as PCI DSS or the Gramm-Leach-Bliley Act. Doing so will enable your organization to show that it has implemented appropriate and reasonable controls to protect personal data, and that it follows best practices.
In addition to requiring organizations to protect personal data that they directly collect and process, GDPR also requires organizations to manage vendors with whom they share personal data.
Before they provide personal data to a vendor, data controllers must assess whether the vendor will appropriately protect the data, and they must require the vendor to sign a contract that includes specific methods for how the personal data will be protected.
Prior to providing personal data to a vendor, data processors must obtain formal authorization from the data controller and require the vendor to sign a contract that includes specific methods for protecting the personal data the vendor will be working with.
GDPR vendor management should be incorporated into your organization's overall vendor risk management program. At a minimum, such a program should include:
- senior executive support for mandatory risk assessment of vendors;
- the right-to-audit cybersecurity and data protection practices clauses in vendor contracts;
- a short questionnaire to quickly assess the cybersecurity and data protection practices of vendors; and
- a risk scoring tool to prioritize vendor risks.
Develop a personal data breach response and notification process
GDPR requires data controllers to report unauthorized access to or use of personal data to regulators within 72 hours of a data breach being discovered, except when there is a low risk to affected EU data subjects. A data controller must also notify the affected EU data subjects about the breach without undue delay.
Data processors are also required to notify data controllers about a personal data breach without undue delay after discovering a personal data breach.
Prepare now for a personal data breach. Well-defined and documented procedures that are specific to your organization will make it much easier to launch a rapid and well-coordinated response that enables your organization to meet the 72-hour deadline.
At a high level, your personal data breach process should include:
- a detailed procedure about how regulators and data controllers -- if your organization is a data processor -- will be notified, the type of information that will be provided in the notification and who will do the notification if a personal data breach occurs; and
- a detailed procedure about how EU data subjects impacted by a personal data breach will be notified and how quickly the notification will occur.
Both data controllers and data processors should define in advance what without undue delay means; it will be stressful and time-consuming to figure this out in the middle of a breach.
Be sure to test your personal data breach process at least annually. You don't want to be trying it out for the first time during a breach.
GDPR is an important regulation that any organization doing business in the EU should focus on complying with. With careful analysis, planning and design, organizations can appropriately and reasonably comply with the key GDPR requirements.
Data protection is at heart of the GDPR manifesto
GDPR compliance advice for data management teams