Make sure you understand the need to operationalize data management and security.
There has been a widespread rush to get organized and compliant in time for the May 25 deadline when the EU data privacy law General Data Protection Regulation comes into effect. Little wonder when you consider what non-compliance with the GDPR could cost you — fines of up to 20 million euros (around $23.7 million) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Companies have been spending big and employing all sorts of different strategies to prepare for the GDPR. After redesigning and overhauling your data management policies and systems, you may feel entitled to a rest, but before you put your feet up it’s important to remember that compliance requires continuous action.
If you collect or process any personal data, then you need to think about the following things on an ongoing basis.
Data Protection Officer
The buck stops here. You must have a DPO (or virtual DPO) who is responsible for the management of data. It may have proven difficult to secure a qualified, experienced DPO with so many companies in the market for one, but it’s vital they know what they’re doing. If you assigned an existing employee, then you need to train them properly and allow them time to stay abreast of the latest regulations and procedures. If you drafted a virtual CISO as a stop-gap solution, you’ll want to think about your longer term plan.
Breach reporting procedure
Having a good DPO should help with this, but you’ll still need to work to ensure that no one buries their head in the sand when a breach does occur. Even with robust security, data breaches are a fact of life, but with the GDPR you are legally required to report a breach within 72 hours. Don’t be like Equifax, get your procedure fully documented and educate all your staff about the rules.
Consent and rights
Make sure that you have a system in place to obtain proper consent from people to store their personal data – simple opt-in clicks are not sufficient. You also must be prepared to erase or restrict the use of that data and to provide people with copies on request. If you receive a Subject Access Request (SAR) you have 30 days to deliver extensive information on how you are processing the data, port it to another provider, or erase it permanently depending on the request.
Pseudonymization of data
It’s not enough to store and process data securely, you should separate it, extracting what’s necessary for operational purposes from anything that could be used to personally identify who the data belongs to. If data can be attributed to a specific subject easily, then you need to act to remedy that by removing or obscuring direct identifiers. Pseudonymization is a clever way to preserve the usefulness of data and reduce the risk of exposure, providing a second line of defence if encryption or other defences fail.
Data processors are liable
It used to be the case that only “data controllers” were subject to the law on breaches, but with the GDPR coming in that same principle applies to “data processors”. That means anyone processing data, even if it’s on the instructions of another company, is jointly liable in the event of a breach. In the modern business world, with proliferation of cloud services and software, that could apply to several of your partners and vendors. Make sure everyone you do business with has the right protections and procedures in place.
Don’t rest on your laurels
Resist the temptation to relax as we move beyond that GDPR deadline. Just like your wider security measures, data management is something that must be continually assessed, tested, and tweaked for maximum efficiency and protection.
If you really want a clear picture of your potential exposure and solid advice on mitigation, then you should strongly consider regularly engaging a GDPR consulting firm to perform a risk assessment and gap analysis or even just a simple whiteboard session. You should also consider a business impact analysis to help you understand and hone your risk posture. Only by operationalizing your data management and security, can you ensure continued compliance.