After years of warning and clarifications, the time is nearly here. Enforcement of the EU’s General Data Privacy Regulation (GDPR) is due to start on May 25, 2018. Affected organizations find themselves at vary states of readiness, with some years into their journey and others just now realizing the mountainous effort required to achieve compliance.
If you find yourself in the latter camp, don’t despair. The hardest part of any long journey is starting. Here are seven steps to help start you down the path.
Step 1 – Determine if you are subject to GDPR
The GDPR’s primary focus is on the rights of European citizens. As such, where a company is based or even where data is housed is not the primary considerations. The mandate extends to all companies that process data to offer goods or services to European residents or that monitor the behavior of European residents. Any company that collects—or even just processes—personal data of EU citizens is subject to the law.
Step 2 – Learn the basics
Here are a few key terms and concepts:
- Personal data ≠ PII: The GDPR defines personal data quite broadly, well beyond the personally identifiable information (PII) standard of earlier legislation. Whereas PII refers to a relatively narrow range of data such as name, address, birth date, Social Security number and financial information such as credit card numbers or bank accounts, personal data can include social media posts, photographs, lifestyle preferences, transaction histories and even IP addresses.
- Data Controller: The entity that determines the purposes, conditions and means of the processing of personal data
- Data Processor: The entity that processes data on behalf of the Data Controller
- Data Subject: A natural person whose personal data is processed by a controller or processor
- Right of erasure (aka Right to be Forgotten): Neither the prerogative of a primary school math student nor the basis for a sci-fi movie plot, right of erasure entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data
- Privacy by Design: A principle that calls for the inclusion of data protection from the onset of the designing of systems
Tip: Ignore the alarmists. Many GDPR consultants and software vendors menacingly tout the law’s maximum fine of €20M or 4% of annual revenue, whichever is greater. The truth is, fines of this size are reserved for repeated, serious violations. Initial penalties will be far lower or more likely just a warning. That doesn’t mean you should take it easy as the real risk is spending time scrambling to respond to regulator questions, taking precious attention from business goals.
Step 3 – Focus on the Key Articles
With 99 articles, the GDPR isn’t going to be anyone’s light summer reading. Not every article is created equal and it can help to focus first on the most important.
- Article 30: Records of processing activities (RoPA). The RoPA centers on identifying where personal data is being processed, who is processing it and how it is being processed.
- Article 32: Security of Processing. Within Article 32 is the “Technical and organizational measures” language which states that organizations must “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
- Tip: Appropriate means just that. Don’t let GDPR alarmists tell you that “appropriate” means you absolutely must buy their security software. The truth is we don’t know yet how regulators will enforce and interpret this article and others. Do your best, document your efforts, and that will go a long way to satisfying regulators.
- Article 35: Data Protection Impact Assessment (DPIA). A DPIA is the documentation of this especially sensitive data processing and the protection measures that have been established for this processing.
Step 4 – Appoint a Data Protection Officer (If You Need To)
Not every organization will need a DPO, but with estimates of DPO positions topping 75,000, the time to determine if you need one is now. Under GDPR, a DPO is required for all public authorities, organizations which regularly process personal data on a large scale, and when sensitive data is processed.
GDPR language is maddeningly short on what terms such as “large scale” and “sensitive” mean, but DPO’s will be needed by organizations that process personal data as a core part of their business and also for any organization that captures or processes any form of tracking and profiling on the internet, including for the purposes of behavioral advertising.
Step 5 – Establish Enterprise Visibility
Most organizations, beginning their journey to GDPR compliance, understand the importance of identifying the location of personal data repositories and focus on systems as SAP, Oracle databases and middleware, Marketo, and Salesforce. But these large systems often represent just a fraction of the systems that process personal data. Like an iceberg, the vast majority of applications are often effectively invisible, unconsidered by the GDPR team and include SaaS applications purchased by business units with little to no involvement by IT.
Step 6 – Eliminate Personal Data Blind Spots
The funny thing about blind spots is that they are often unknown unknowns. You don’t even know you have them. While this works great for bald spots on the back of your head, it isn’t quite so advantageous when it comes to unknown personal data repositories. Use existing or new automated discovery tools to uncover all personal data repositories across the enterprise.
- Pro-Tip: Beware of mobiles. Mobile devices are regulated by GDPR as are all technologies used for the processing of personal data. Not only do these devices maintain personal data, they also process information on the user. In addition, they are especially susceptible to be being lost, potentially running afoul of GDPR directives on maintaining control of personal data.
Step 7 – Build Your People, Process, and Technology Arsenal
There is no silver bullet to GDPR compliance. No single application you can buy or consultant you can hire. Instead, GDPR compliance takes a combination of people, process, and technology.
People. Set up a cross-functional data governance team, made up of the DPO, IT leaders and business leaders from a range of functions including Compliance, Legal, HR, Customer Service, and Marketing.
Process. Once the data governance team has defined what personal data means, they need to share this understanding across the organization. In addition, privacy rules must be documented and shared across all lines of business.
Technology. There are a number of solutions that can accelerate and maintain GDPR compliance including case management systems for handling data subject requests, data discovery systems for finding applications (including Snow’s own GDPR Risk Assessment), structured data, and unstructured data, Identity and Access Management to track role management and who has access to which data, and Software Asset Management which can help create the system, users, and device visibility required to ensure claims of “compliance” are based on a complete understanding of the enterprise.
Still working on how to become GDPR compliant? Why not download our new eBook 7 Steps to Kickstart Your GDPR compliance, just click on the link below.