Guest blog by Michael Rasmussen, The GRC Pundit, GRC 20/20
As the years go by, there is increasing focus on the protection of personal information around the world. Over time we have seen US HIPAA, US GLBA, Canada’s PIPEDA, the EU Data Protection Directive 95/46/EC, and others around the world. The latest, most comprehensive, and the one that is the front and center of concern to organizations is the EU General Data Protection Regulation 2016/679 (GDPR), which replaces the former directive.
The GDPR strengthens and unifies data protection of individuals in the EU. Where the former directive required each country to pass national legislation that was not consistent, the GDPR is a regulation and not a directive and does not require further national legislation. Full compliance for organizations starts May 25, 2018, and applies to any organization that stores, processes, or transfers the personal data of EU residents. It does not matter if the organization resides in the EU. Fines can be stiff, going above €20 million or 4% of global revenues of an organization, whichever is greater.
The regulation defines personal data as: “Personal data is any information related to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
To be compliant and mitigate the risk of data protection incidents, organizations should:
- Establish a Data Processing Officer. In fact, this is required in the regulation (Articles 37-39) for all public authorities and organizations that are processing more than 5,000 data subjects in a 12-month period. This role is also called a Chief Privacy Officer.
- Define & Communicate Policies & Procedures with Training. The foundational component of any compliance program is outlining what is expected of individuals, business processes, and transactions. This is established in policies and procedures that need to be communicated to individuals and proper training.
- Document Data Flows & Processes. Organizations should clearly document how individual data is used and flows in the organization and maintain this documentation in context of organization and process changes. This is a key component of managing information assets of individuals.
- Conduct Privacy Impact Assessments. The organization should do regular privacy impact assessments to determine risk of exposure of personal information. When events occur, the regulation specifically requires (Article 35) a data protection impact assessment.
- Implement, Monitor, & Assess Controls. Define your controls to protect personal data and continuously monitor to ensure these controls are in place and operating effectively.
- Prepare for Incident Response. The regulation requires data breach notification to supervisory authorities within 72 hours of detection. Organizations need defined processes in place and be prepared to respond to, contain, and disclose/notify of breaches that occur in the organization.
- Ensure Your Third Parties are Compliant. Many data protection breaches happen with third-party relationships (e.g., vendors, contractors, outsourcers, service providers). Organizations need to make sure there third parties are compliant as well and follow strict policies and controls that are aligned with the organizations policies and controls.
This is a complete program that needs to be managed on a continuous basis to be compliant and minimize risk of exposure in the GDPR regulation. Organizations that attempt to manage this in documents, spreadsheets and emails will find that this approach will lead to inevitable failure. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that are difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active data protection risk monitoring.
To address GDPR, organizations should avoid manual processes encumbered by documents, spreadsheets, and emails. They should look to implement a solution that can manage the range and context of GDPR requirements and processes to manage compliance consistently and continuously in the context of distributed and dynamic business.