This is a critical year for those working to comply with the European Union’s (EU) General Data Protection Regulation (GDPR), which requires those doing business in the EU to more securely collect, store and use personal information by 2018.
Unfortunately, according to (ISC)2’s EMEA council, which covers issues concerning Europe, the Middle East and Africa, organizations aren’t doing too well, having accomplished precious little in the first year they had to get things in order.
In an advisory this weekend marking Data Privacy Day, the council warned of what it sees as poor acceptance of accountability across organizations and an apparent belief that the task ahead is one for the specialists – either legal or technical.
Those observations are based on the experiences of an international GDPR task force of (ISC)2 members tasked with implementing GDPR. The task force, which tracks and curates front-line experience with the compliance effort, mapped out the problems:
First observations from our group reveal that too many projects are falling at the first hurdle, with implementation teams unclear on or unable to secure business support or the budgets needed for compliance. Specialist knowledge is going into auditing and determining what is required, but it is being met with a lack of will or acceptance at a business unit level to move forward with projects that have been outlined. Progress that is being made tends to be linked to the roll out of new initiatives, leaving gaps in addressing existing systems and processes.
If business leaders can’t appreciate the requirements placed on them, the effort must shift to helping them be more clear about their role in the process and the resources (both people and financial) required, the council said. To that end, it mapped out a two-point action plan:
Ensure GDPR gains a priority ranking on the corporate and board-level risk register. The council said this is justified by both the impact of failing to comply and the likelihood of a breach in the current threat landscape:
The impact goes beyond the now well-cited maximum fine of 4% of worldwide turnover. Individuals have gained new rights to demand action and compensation for damages linked to a breach of their rights, while the definition of what is considered “personal data” includes many new forms of electronic data, IP addresses and the like, that can lead back to them.
Emphasize the scope of what is required. This is not a simple “audit and adjust” exercise, the council said, adding:
GDPR places greater emphasis on the documentation and existence of processes in place for the governance of personal data, and demands companies define how they will deal with user requests related to many new individual rights, the most cited of which is perhaps the right to remove their data from their systems.
The (ISC)² EAC GDPR Task Force published an overview of the basics that can be used as a tool to help everyone understand and communicate the scope of what is required.
Last month, Naked Security focused on things companies need to do in 2017 to get ready for GDPR. Those interviewed for the article pointed to a checklist published by Ireland’s Office of the Data Protection Commissioner. Below is a condensed breakdown of that list, which will hopefully clear up some of the questions the council believes is holding organizations back:
12 to-do items
The 11-page .pdf is loaded with actionable information. The document suggests companies be on top of the following by mid 2017:
- Be aware. It’s not enough for CEOs, IT staff and compliance officers to be aware of what GDPR requires. Employees from the top to the bottom of an organization need to be extensively educated on the regulation’s importance and the role they have to play.
- Be accountable. Companies must make an inventory of all personal data they hold and ask the following questions: Why are you holding it? How did you obtain it? Why was it originally gathered? How long will you retain it? How secure is it, both in terms of encryption and accessibility? Do you ever share it with third parties and on what basis might you do so?
- Communicate with staff and service users. This is an extension of being aware. Review all current data privacy notices alerting individuals to the collection of their data. Identify gaps between the level of data collection and processing the organization does and how aware customers, staff and service users are.
- Protect privacy rights. Review procedures to ensure they cover all the rights individuals have, including how one would delete personal data or provide data electronically.
- Review how access rights could change. Review and update procedures and plan how requests within new timescales will be handled.
- Understand the legal fine print. Companies should look at the various types of data processing they carry out, identify their legal basis for carrying it out and document it.
- Ensure customer consent is ironclad. Companies that use customer consent when recording personal data should review how the consent is sought, obtained and recorded.
- Process children’s data carefully. Organizations processing data from minors must ensure clear systems are in place to verify individual ages and gather consent from guardians.
- Have a plan to report breaches. Companies must ensure the right procedures are in place to detect, report and investigate a personal data breach. Always assume a breach will happen at some point.
- Understand Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organizations to identify potential privacy issues before they arise, and come up with a way to mitigate them.
- Hire data protection officers. The important thing is to make sure that someone in the organization or an external data protection advisor takes responsibility for data protection compliance and understands the responsibility from the inside out.
- Get educated on the internal organizations managing GDPR. The regulation includes a “one-stop-shop” provision to assist organizations operating in EU member states. Multinational organizations will be entitled to deal with one data protection authority, or Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly established.