How to integrate GDPR and protect yourself from a €20 million fine
15 March 2018
By Vee Punia
With the EU’s General Data Protection Regulation (GDPR) coming into effect on May 25th, the clock is ticking loudly to integrate the new data privacy laws. The stakes are likely higher than you imagine. If your organization is deemed to be non-compliant, you could face fines as staggering as €20 million or four percent of your global turnover. These unprecedented penalties are part of the EU’s global plan to aggressively protect the privacy rights of EU residents. The focus is on personal data that can be directly or indirectly used to identify an individual. This applies to all organizations that collect or process the personal data of EU citizens. While North American companies might think that they’re off the hook, multinationals take heed. This includes non-European based organizations that provide service to the EU.
To complicate matters, there’s a fair share of confusion surrounding what GDPR’s last phase involves and who needs to comply, as well as information that can be interpreted in multiple ways. As an infrastructure and security specialist and certified EU GDPR practitioner, these are the steps that I professionally recommend to ensure that your organization is ready for compliance.
8 Steps for integrating GDPR
1. Start data mapping:Identify how your organization handles personal data. The core way to make sure that you’re compliant is to conduct a comprehensive review of how your data is used, stored, retained, and backed-up. Start mapping your current processes for collecting, holding and processing personally identifiable information (PII data). Ensure that you have adequate security in place to protect this data. Collect a list of all vendors and find out if they’re GDPR compliant. According to GDPR, both collector (your organization) and processor (any vendor who processes data on your behalf) are liable for data breaches.
2. Identify your high-risk data: Carefully assess highest risk personal and sensitive data. Data mapping all of your applications at the beginning of any project will help give you insight into what needs a Data Protection Impact Assessment (DPIA).
3. Check your security certifications: Data privacy and security are two sides of the same coin. Ensure that you have adequate security controls in place, to protect the personal information of your clients and customers. Security certifications like ISO 27001, SOC1, SOC2 and Cyber Essentials can help with GDPR compliance. Encrypting both stored and active data is key to ensuring customer anonymity and keeping personal data safe, especially during a breach.
4.Prepare for Subject Access Requests (SAR): According to GDPR, your data subjects have the right to be informed about and object to their data being used in automated systems. If they request for their information to be deleted or exported, you must respond within one month (or else face large fines). Train your support staff to be ready for these kinds of requests and create phone and email script templates to address customer concerns. Also, consider automating these SAR requests using methods like API.
5. Report a major incident within three days: Build an incident response policy to ensure that an EU Supervisor Authority is notified within 72 hours. Penalties for not reporting serious breaches can be up to 20 million Euro or four percent of your global turnover. Establish an incident response team including IT, security, management and communication. This team should be prepared to quickly identify and remediate the breach, as well as assess whether it’s severe enough to be reported.
6. Establish an employee GDPR security awareness program: Build a GDPR security awareness program and train your employees company-wide about GDPR. Your team as a whole needs to use best practices for handling personal data.
8. Get clear consent: According to GDPR, consent has to be clear, informed, specific and given freely. Make sure that you have opt-in consent for sending emails and any other kinds of marketing messages. Opting-out should also be as easy as opting-in. Log all of these activities in your backend database (for compliance auditing) and always include a privacy notice about your purposes for using personal data. Then be diligent about exclusively utilizing data for these specific reasons.
There’s only a few months left to align your organization’s processes with GDPR. Keep in mind that the sole purpose of the new laws is to protect the personal information of your end users. It’s crucial to get your security policies up to speed with the ISO27001 standard and protect your PII information, from handling email opt-ins and outs, to “subject access” requests, consent notices, and privacy policies. Make sure that your organization also has strong response systems to address, report, and log any major breach within 72 hours. In the worse case that you’re actually hit with an intrusion, do your due diligence now and be prepared to show that you did everything in your power to safeguard your clients and customers. You’re not only protecting your consumers, but yourself.
Vee Punia is Director, IT & Infrastructure at Q4 with over 17 years of experience in IT Infrastructure Management, Compliance, Security operations, ITIL Change Management and Service Delivery of Enterprise and SaaS platform.