By 2018, the General Data Protection Regulation (GDPR) will require any company doing business in the European Union to more securely collect, store and use personal information.
That means companies must have a lot of the compliance work in place as they move through 2017. The question is, where should they be by the middle of the new year?
“With time ticking away, I’m guessing there’s going to be an increasingly panicked response from organizations that realize they should be a lot further along the road to compliance than they are,” Andrew Goodfellow-Swaap, information officer for Nottinghamshire County Council, said in an exchange on LinkedIn.
To reduce that panic, we reached out to several compliance practitioners who’ve spent the last couple of years immersed in the subject and asked where companies should be in their work by mid 2017.
Several pointed to a checklist published last month by Ireland’s Office of the Data Protection Commissioner. Others said they’ve found The Nymity Privacy Management Accountability Framework particularly helpful. The latter encompasses many of the items in the DPC checklist, though it’s geared more toward compliance mandates in general and not GDPR specifically.
The DPC checklist was among the most useful we studied. Here’s a condensed breakdown:
12 to-do items
The 11-page .pdf is loaded with actionable information. The document suggests companies be on top of the following by mid 2017:
- Be aware. It’s not enough for CEOs, IT staff and compliance officers to be aware of what GDPR requires. Employees from the top to the bottom of an organization need to be extensively educated on the regulation’s importance and the role they have to play.
- Be accountable. Companies must make an inventory of all personal data they hold and ask the following questions: Why are you holding it? How did you obtain it? Why was it originally gathered? How long will you retain it? How secure is it, both in terms of encryption and accessibility? Do you ever share it with third parties and on what basis might you do so?
- Communicate with staff and service users. This is an extension of being aware. Review all current data privacy notices alerting individuals to the collection of their data. Identify gaps between the level of data collection and processing the organization does and how aware customers, staff and service users are.
- Protect privacy rights. Review procedures to ensure they cover all the rights individuals have, including how one would delete personal data or provide data electronically.
- Review how access rights could change. Review and update procedures and plan how requests within new timescales will be handled.
- Understand the legal fine print. Companies should look at the various types of data processing they carry out, identify their legal basis for carrying it out and document it.
- Ensure customer consent is ironclad. Companies that use customer consent when recording personal data should review how the consent is sought, obtained and recorded.
- Process children’s data carefully. Organizations processing data from minors must ensure clear systems are in place to verify individual ages and gather consent from guardians.
- Have a plan to report breaches. Companies must ensure the right procedures are in place to detect, report and investigate a personal data breach. Always assume a breach will happen at some point.
- Understand Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organizations to identify potential privacy issues before they arise, and come up with a way to mitigate them.
- Hire data protection officers. The important thing is to make sure that someone in the organization or an external data protection advisor takes responsibility for data protection compliance and understands the responsibility from the inside out.
- Get educated on the internal organizations managing GDPR. The regulation includes a “one-stop-shop” provision to assist organizations operating in EU member states. Multinational organizations will be entitled to deal with one data protection authority, or Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly established.
Making it your own
Those approached for this article have taken guidelines like these and put their organizations’ stamps on it.
Craig Clark, information security and compliance manager for IT services at the University of East London, offered his own checklist. From a project point of view, he suggests the following be completed or nearly completed by mid 2017:
- C-Suite Awareness
- User Awareness
- DPO Appointment
- Information Identification
- Updated Privacy Notices
- Updated Data Protection Policies
- Updated Information Sharing Agreements
- Approved Data Privacy Impact Assessments
- Identification of any cross-border transfers
- Establishment of Data Subject Rights Management protocols
- Privacy by Design implemented into the Project Methodology
“A lot of guidance is still to be written by the ICO [UK Information Commissioner’s Office] but I’d want at least the above to be implemented,” Clark said.
7 comments on “Your new year’s resolution: get ready for GDPR”
This is excellent news–at least on the surface–and sets an admirable precedent.
As we US-onians are always quick to adopt new security technologies *cough* chip CC *cough* I look forward to reading about the EU’s successes and pitfalls when we implement the “Miles and Inches” analog in 2037
…just about when we realize our old Unix boxes are being “born again.”
@Bryan: I may be wrong, but I think you can resurrect your old Unix box today, just by redefining time_t as a long long, instead of an int… 🙂
@Mark: No you’re not wrong. I’m merely lampooning how we (the US) are at times slow to adopt new technologies (EU’s had chip CC for years, but only the past five months saw my cards converted). 40 years ago RAM was so costly it prompted decisions to foster what eventually became the y2k crisis. Despite what an ordeal that was, I expect we’ll still hear similar panics over legacy systems in 20 years, even though current tech could handily allay the problem with just a little love. I suppose I’m also lampooning a tenacious collective learning disability.
Plus maybe I can use (relatively) benign humor to assuage a bit of the jingoism that flies around so readily. 🙂
Just a side thought on all these regulations. To open a small business these days is becoming a loosing proposition. The infrastructure required to meet regulations is going to (if not already) be so cost prohibitive, starting a business out of the garage (legally) is pretty much over. I expect if you didn’t keep any customer data at all it would be in some tax violation, and if you do keep data it’s likely to cost more than the potential profit to meet legal requirements.
Fingers crossed that the net result is smarter design from the ground up–with better security as a bonus (even if it isn’t the primary concern of Joe C.E.O.).
Ironically for some who know just enough to be dangerous *ahem* not me *ahem* this could result in more homegrown security methods when pricey third-party software is out of budgetary reach. Let’s hope I did it right.
Um, I mean… let’s hope that doesn’t happen.
@Mahhn. You make a valid point but the sheer number of “disclosed” data security breaches shows clearly that companies / organisations just aren’t doing enough (even at a very basic level) to protect personal information of individuals. GDPR is trying to harmonise the protection required across EU Member States, or anyone who process EU citizen data.
Although the mantra – at least from the security profession – is that, “it’s a case of when not if” you will be breached, if you can evidence to your local ‘Supervisory Authority’ that you have taken at least some fundamental security measures / steps, then any sanction (usually in financial terns) will be significantly reduced.
And for the majority of businesses get some help – start with simple overview training to understand GDPR and how it relates to your own business and get an action plan together so you know what has to be done and who is to do it.